CVE-2021-32672

Description

Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14.

How to fix CVE-2021-32672

To remediate CVE-2021-32672, upgrade the affected package to a fixed version below.

• —upgrade to 5.0.14-r0 or later
• —upgrade to 5.0.14 or later
• —upgrade to 5.0.14 or later
• —upgrade to 5.0.14 or later
• —upgrade to 5:6.0.16-1+deb11u1 or later

Is CVE-2021-32672 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 5.0.14-r0
• >= 3.2.0, < 5.0.14, >= 6.0.0, < 6.0.16, >= 6.2.0, < 6.2.6
• >= 3.2.0, < 5.0.14, >= 6.0.0, < 6.0.16, >= 6.2.0, < 6.2.6
• >= 3.2.0, < 5.0.14, >= 6.0.0, < 6.0.16, >= 6.2.0, < 6.2.6
• from 0, < 5:6.0.16-1+deb11u1

CVSS scores

References (12)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2021-32672
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-32672
• WEBgithub.com/redis/redis/commit/6ac3c0b7abd35f37201ed2d6298ecef4ea1ae1dd
• WEBgithub.com/redis/redis/security/advisories/GHSA-9mj9-xx53-qmxm