Vulnerability Details : CVE-2019-10193
A stack-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By corrupting a hyperloglog using the SETRANGE command, an attacker could cause Redis to perform controlled increments of up to 12 bytes past the end of a stack-allocated buffer.
Vulnerability category: OverflowMemory Corruption
Products affected by CVE-2019-10193
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:9:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_operations_monitor:4.1:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
- cpe:2.3:a:redislabs:redis:*:*:*:*:*:*:*:*
- cpe:2.3:a:redislabs:redis:*:*:*:*:*:*:*:*
- cpe:2.3:a:redislabs:redis:*:*:*:*:*:*:*:*
Threat overview for CVE-2019-10193
Top countries where our scanners detected CVE-2019-10193
Top open port discovered on systems with this issue
80
IPs affected by CVE-2019-10193 82,399
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2019-10193!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2019-10193
17.52%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-10193
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
7.2
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
Red Hat, Inc. | |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST |
CWE ids for CVE-2019-10193
-
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).Assigned by: secalert@redhat.com (Secondary)
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-10193
-
https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES
Release Notes;Vendor Advisory
-
https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES
Release Notes;Vendor Advisory
-
https://www.oracle.com/security-alerts/cpujul2020.html
Oracle Critical Patch Update Advisory - July 2020Patch;Third Party Advisory
-
https://usn.ubuntu.com/4061-1/
USN-4061-1: Redis vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://security.gentoo.org/glsa/201908-04
Redis: Multiple vulnerabilities (GLSA 201908-04) — Gentoo securityThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10193
1727668 – (CVE-2019-10193) CVE-2019-10193 redis: Stack buffer overflow in HyperLogLog triggered by malicious clientIssue Tracking;Third Party Advisory
-
https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES
Release Notes;Vendor Advisory
-
https://www.debian.org/security/2019/dsa-4480
Debian -- Security Information -- DSA-4480-1 redisThird Party Advisory
-
http://www.securityfocus.com/bid/109290
Redis Multiple Buffer Overflow VulnerabilitiesThird Party Advisory;VDB Entry
-
https://seclists.org/bugtraq/2019/Jul/19
Bugtraq: [SECURITY] [DSA 4480-1] redis security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1819
RHSA-2019:1819 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2002
RHSA-2019:2002 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to