CVE-2022-31144 — Potential heap overflow in Redis

Description

Redis is an in-memory database that persists on disk. A specially crafted `XAUTOCLAIM` command on a stream key in a specific state may result with heap overflow, and potentially remote code execution. This problem affects versions on the 7.x branch prior to 7.0.4. The patch is released in version 7.0.4.

How to fix CVE-2022-31144

To remediate CVE-2022-31144, upgrade the affected package to a fixed version below.

—upgrade to 7.0.4-r0 or later
—upgrade to 7.0.4 or later
—upgrade to 7.0.4 or later
—upgrade to 7.0.4 or later
—upgrade to 5:7.0.4-1 or later

Is CVE-2022-31144 being exploited?

Moderate — EPSS is 20.6%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (5)

from 0, < 7.0.4-r0
>= 7.0.0, < 7.0.4
>= 7.0.0, < 7.0.4
>= 7.0.0, < 7.0.4
from 0, < 5:7.0.4-1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYsecurity.alpinelinux.org/vuln/CVE-2022-31144
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-31144
WEBgithub.com/redis/redis/releases/tag/7.0.4
WEBgithub.com/redis/redis/security/advisories/GHSA-96f7-42fg-2jrh
WEB