CVE-2023-28425
Specially crafted MSETNX command can lead to denial-of-service
5.5
MEDIUM
CVSS 3.1
EPSS 45.3%
Description
Redis is an in-memory database that persists on disk. Starting in version 7.0.8 and prior to version 7.0.10, authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process. The problem is fixed in Redis version 7.0.10.
How to fix CVE-2023-28425
To remediate CVE-2023-28425, upgrade the affected package to a fixed version below.
- —upgrade to 7.0.10 or later
- —upgrade to 7.0.10 or later
- —upgrade to 7.0.10 or later
- —upgrade to 5:7.0.10-1 or later
Is CVE-2023-28425 being exploited?
Moderate — EPSS is 45.3%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (4)
- >= 7.0.8, < 7.0.10
- >= 7.0.8, < 7.0.10
- >= 7.0.8, < 7.0.10
- from 0, < 5:7.0.10-1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |