Vulnerability Details : CVE-2023-28856
Redis is an open source, in-memory database that persists on disk. Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue.
Vulnerability category: Input validation
Products affected by CVE-2023-28856
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
- cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
- cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
- cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
Threat overview for CVE-2023-28856
Top countries where our scanners detected CVE-2023-28856
Top open port discovered on systems with this issue
6379
IPs affected by CVE-2023-28856 55,688
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2023-28856!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2023-28856
0.24%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 65 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-28856
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST | |
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.8
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2023-28856
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security-advisories@github.com (Secondary)
-
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2023-28856
-
https://github.com/redis/redis/commit/bc7fe41e5857a0854d524e2a63a028e9394d2a5c
fix hincrbyfloat not to create a key if the new value is invalid (#11… · redis/redis@bc7fe41 · GitHubPatch
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPUTH7NBQTZDVJWFNUD24ZCS6NDUFYS6/
[SECURITY] Fedora 38 Update: redis-7.0.11-1.fc38 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/redis/redis/pull/11149
fix hincrbyfloat not to create a key if the new value is invalid by chendq8 · Pull Request #11149 · redis/redis · GitHubIssue Tracking;Patch
-
https://lists.debian.org/debian-lts-announce/2023/04/msg00023.html
[SECURITY] [DLA 3396-1] redis security updateMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20230601-0007/
CVE-2023-28856 Redis Vulnerability in NetApp Products | NetApp Product Security
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EQ4DJSO4DMR55AWK6OPVJH5UTEB35R2Z/
[SECURITY] Fedora 36 Update: redis-6.2.12-1.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/redis/redis/security/advisories/GHSA-hjv8-vjf6-wcr6
HINCRBYFLOAT can be used to crash a redis-server process · Advisory · redis/redis · GitHubVendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQGKMKSQE67L32HE6W5EI2I2YKW5VWHI/
[SECURITY] Fedora 37 Update: redis-7.0.11-1.fc37 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to