CVE-2023-28856

Description

Redis is an open source, in-memory database that persists on disk. Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue.

How to fix CVE-2023-28856

To remediate CVE-2023-28856, upgrade the affected package to a fixed version below.

• —upgrade to 6.0.19 or later
• —upgrade to 6.0.19 or later
• —upgrade to 6.0.19 or later
• —upgrade to 5:6.0.16-1+deb11u3 or later
• —upgrade to 5:5.0.14-1+deb10u4 or later

Is CVE-2023-28856 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 6.0.19, >= 6.2.0, < 6.2.12, >= 7.0.0, < 7.0.11
• from 0, < 6.0.19, >= 6.2.0, < 6.2.12, >= 7.0.0, < 7.0.11
• from 0, < 6.0.19, >= 6.2.0, < 6.2.12, >= 7.0.0, < 7.0.11
• from 0, < 5:6.0.16-1+deb11u3
• from 0, < 5:5.0.14-1+deb10u4

CVSS scores

References (10)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-28856
• WEBgithub.com/redis/redis/commit/bc7fe41e5857a0854d524e2a63a028e9394d2a5c
• WEBgithub.com/redis/redis/pull/11149
• WEBgithub.com/redis/redis/security/advisories/GHSA-hjv8-vjf6-wcr6