CVE-2018-11218 — redis - security update

Description

Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2 because of stack-based buffer overflows.

How to fix CVE-2018-11218

To remediate CVE-2018-11218, upgrade the affected package to a fixed version below.

Alpine/redis—upgrade to 3.2.12-r0 or later
Debian/redis—upgrade to 5:4.0.10-1 or later
—upgrade to 2:2.8.17-1+deb8u6 or later
—upgrade to 3:3.2.6-3+deb9u1 or later

Is CVE-2018-11218 being exploited?

Likely — EPSS is 83.0%, placing CVE-2018-11218 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (4)

from 0, < 3.2.12-r0
from 0, < 5:4.0.10-1
from 0, < 2:2.8.17-1+deb8u6
from 0, < 3:3.2.6-3+deb9u1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2018-11218
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2018-11218