CVE-2024-31227

Description

Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem exists in Redis 7 prior to versions 7.2.6 and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

How to fix CVE-2024-31227

To remediate CVE-2024-31227, upgrade the affected package to a fixed version below.

• —upgrade to 7.0.15-r1 or later
• —upgrade to 7.2.7-r0 or later
• —no fix listed
• —upgrade to 7.2.8 or later
• —upgrade to 7.2.7 or later
• —upgrade to 7.3.1+ds-1 or later
• —upgrade to 5:7.0.15-1~deb12u2 or later
• —upgrade to 8.0.1+dfsg1-1 or later

Is CVE-2024-31227 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (8)

• from 0, < 7.0.15-r1
• from 0, < 7.2.7-r0
• >= 7.0.0
• >= 7.0.0, < 7.2.8, >= 7.3.0, < 7.4.1
• from 0, < 7.2.7, >= 8.0.0, < 8.0.1
• from 0, < 7.3.1+ds-1
• from 0, < 5:7.0.15-1~deb12u2
• from 0, < 8.0.1+dfsg1-1

CVSS scores

References (5)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-31227
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-31227
• WEBgithub.com/redis/redis/commit/b351d5a3210e61cc3b22ba38a723d6da8f3c298a
• WEBgithub.com/redis/redis/security/advisories/GHSA-38p4-26x2-vqhh