Vulnerability Details : CVE-2019-10192
A heap-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By carefully corrupting a hyperloglog using the SETRANGE command, an attacker could trick Redis interpretation of dense HLL encoding to write up to 3 bytes beyond the end of a heap-allocated buffer.
Vulnerability category: OverflowMemory Corruption
Products affected by CVE-2019-10192
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_operations_monitor:4.1:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
- cpe:2.3:a:redislabs:redis:*:*:*:*:*:*:*:*
- cpe:2.3:a:redislabs:redis:*:*:*:*:*:*:*:*
- cpe:2.3:a:redislabs:redis:*:*:*:*:*:*:*:*
Threat overview for CVE-2019-10192
Top countries where our scanners detected CVE-2019-10192
Top open port discovered on systems with this issue
80
IPs affected by CVE-2019-10192 88,013
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2019-10192!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2019-10192
15.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-10192
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
7.2
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
Red Hat, Inc. | |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
CWE ids for CVE-2019-10192
-
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().Assigned by: secalert@redhat.com (Secondary)
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-10192
-
https://access.redhat.com/errata/RHSA-2019:2621
RHSA-2019:2621 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES
Release Notes;Vendor Advisory
-
https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES
Release Notes;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2019:2506
RHSA-2019:2506 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1860
RHSA-2019:1860 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020Patch;Third Party Advisory
-
https://usn.ubuntu.com/4061-1/
USN-4061-1: Redis vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10192
1723918 – (CVE-2019-10192) CVE-2019-10192 redis: Heap buffer overflow in HyperLogLog triggered by malicious clientIssue Tracking;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2630
RHSA-2019:2630 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://security.gentoo.org/glsa/201908-04
Redis: Multiple vulnerabilities (GLSA 201908-04) — Gentoo securityThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2508
RHSA-2019:2508 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES
Release Notes;Vendor Advisory
-
https://www.debian.org/security/2019/dsa-4480
Debian -- Security Information -- DSA-4480-1 redisThird Party Advisory
-
http://www.securityfocus.com/bid/109290
Redis Multiple Buffer Overflow VulnerabilitiesThird Party Advisory;VDB Entry
-
https://seclists.org/bugtraq/2019/Jul/19
Bugtraq: [SECURITY] [DSA 4480-1] redis security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1819
RHSA-2019:1819 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2002
RHSA-2019:2002 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to