Skip to main content

Redis

202 CVEs product

Monthly

CVE-2019-17206 PyPI CRITICAL PATCH Act Now

Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper (aka Redis Wrapper) before 0.3.0 allows attackers to execute arbitrary scripts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Redis Deserialization Redis Wrapper
NVD GitHub
CVSS 3.1
9.8
EPSS
3.2%
CVE-2019-3800 HIGH This Week

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Cloud Foundry Command Line Interface Cloud Foundry Command Line Interface Release Cloud Foundry Deployment Cloud Foundry Deployment Concourse Tasks +42
NVD
CVSS 3.0
7.8
EPSS
2.1%
CVE-2019-10193 HIGH PATCH This Week

A stack-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Redis Buffer Overflow Stack Overflow Openstack Enterprise Linux +6
NVD
CVSS 3.1
7.2
EPSS
23.7%
CVE-2019-10192 HIGH PATCH This Week

A heap-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Redis Buffer Overflow Heap Overflow Openstack Software Collections +7
NVD
CVSS 3.1
7.2
EPSS
26.0%
CVE-2019-9947 MEDIUM POC This Month

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Redis Code Injection Python
NVD
CVSS 3.1
6.1
EPSS
5.6%
CVE-2019-9741 MEDIUM POC This Month

An issue was discovered in net/http in Go 1.11.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Redis Code Injection Go Debian Linux Fedora +2
NVD GitHub
CVSS 3.1
6.1
EPSS
2.3%
CVE-2019-9740 MEDIUM POC This Month

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Redis Code Injection Python
NVD
CVSS 3.1
6.1
EPSS
5.3%
CVE-2018-1000536 MEDIUM POC This Month

Medis version 0.6.1 and earlier contains a XSS vulnerability evolving into code execution due to enabled nodeIntegration for the renderer process vulnerability in Key name parameter on new key. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Redis XSS RCE Medis
NVD GitHub
CVSS 3.0
6.1
EPSS
1.2%
CVE-2018-11219 CRITICAL POC PATCH Act Now

An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2, leading to a failure of bounds checking. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Integer Overflow Redis Buffer Overflow Debian Linux Communications Operations Monitor +1
NVD GitHub
CVSS 3.0
9.8
EPSS
7.1%
CVE-2018-11218 CRITICAL POC PATCH THREAT Act Now

Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2 because of stack-based buffer overflows. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Redis Memory Corruption Buffer Overflow Debian Linux Communications Operations Monitor +1
NVD GitHub
CVSS 3.0
9.8
EPSS
58.5%
CVE-2018-12326 HIGH POC PATCH This Week

Buffer overflow in redis-cli of Redis before 4.0.10 and 5.x before 5.0 RC3 allows an attacker to achieve code execution and escalate to higher privileges via a crafted command line. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Redis RCE Buffer Overflow
NVD GitHub Exploit-DB
CVSS 3.0
8.4
EPSS
2.7%
CVE-2018-12453 HIGH POC PATCH THREAT This Week

Type confusion in the xgroupCommand function in t_stream.c in redis-server in Redis before 5.0 allows remote attackers to cause denial-of-service via an XGROUP command in which the key is not a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Redis Information Disclosure
NVD GitHub Exploit-DB
CVSS 3.0
7.5
EPSS
24.2%
CVE-2018-8073 PHP CRITICAL PATCH Act Now

Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Redis Code Injection RCE Yii
NVD
CVSS 3.0
9.8
EPSS
1.6%
CVE-2017-1000248 Ruby CRITICAL PATCH Act Now

Redis-store <=v1.3.0 allows unsafe objects to be loaded from redis. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Redis Redis Store
NVD GitHub
CVSS 3.0
9.8
EPSS
0.5%
CVE-2016-10517 HIGH This Week

networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" because it lacks a check for POST and Host: strings, which are not valid in the Redis protocol (but commonly occur when an attack. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Redis Information Disclosure
NVD GitHub
CVSS 3.0
7.4
EPSS
0.4%
CVE-2017-15047 CRITICAL PATCH Act Now

The clusterLoadConfig function in cluster.c in Redis 4.0.2 allows attackers to cause a denial of service (out-of-bounds array index and application crash) or possibly have unspecified other impact by. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Denial Of Service Redis
NVD GitHub
CVSS 3.0
9.8
EPSS
0.4%
CVE-2015-3156 PyPI MEDIUM PATCH This Month

The _write_config function in trove/guestagent/datastore/experimental/mongodb/service.py, reset_configuration function in trove/guestagent/datastore/experimental/postgresql/service/config.py,. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Redis PostgreSQL Information Disclosure Trove
NVD GitHub
CVSS 3.0
5.5
EPSS
0.1%
CVE-2017-5169 HIGH PATCH This Week

An issue was discovered in Hanwha Techwin Smart Security Manager Versions 1.5 and prior. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

RCE Redis CSRF Apache Smart Security Manager
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2016-8339 CRITICAL POC PATCH Act Now

A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Redis Memory Corruption Buffer Overflow RCE
NVD GitHub
CVSS 3.1
9.8
EPSS
2.5%
CVE-2013-7458 LOW PATCH Monitor

linenoise, as used in Redis before 3.2.3, uses world-readable permissions for .rediscli_history, which allows local users to obtain sensitive information by reading the file. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Redis Information Disclosure Debian Linux
NVD GitHub
CVSS 3.0
3.3
EPSS
0.0%
CVE-2015-8080 HIGH POC This Week

Integer overflow in the getnum function in lua_struct.c in Redis 2.8.x before 2.8.24 and 3.0.x before 3.0.6 allows context-dependent attackers with permission to run Lua code in a Redis session to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Integer Overflow Denial Of Service Redis Buffer Overflow Debian Linux +3
NVD GitHub
CVSS 3.1
7.5
EPSS
2.2%
CVE-2015-4335 CRITICAL POC Act Now

Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Redis RCE Debian Linux
NVD GitHub
CVSS 2.0
10.0
EPSS
8.1%
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Uncontrolled deserialization of a pickled object in models.py in Frost Ming rediswrapper (aka Redis Wrapper) before 0.3.0 allows attackers to execute arbitrary scripts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Redis Deserialization Redis Wrapper
NVD GitHub
EPSS 2% CVSS 7.8
HIGH This Week

CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Cloud Foundry Command Line Interface Cloud Foundry Command Line Interface Release +44
NVD
EPSS 24% CVSS 7.2
HIGH PATCH This Week

A stack-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Redis Buffer Overflow Stack Overflow +8
NVD
EPSS 26% CVSS 7.2
HIGH PATCH This Week

A heap-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Redis Buffer Overflow Heap Overflow +9
NVD
EPSS 6% CVSS 6.1
MEDIUM POC This Month

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Redis Code Injection Python
NVD
EPSS 2% CVSS 6.1
MEDIUM POC This Month

An issue was discovered in net/http in Go 1.11.5. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Redis Code Injection Go +4
NVD GitHub
EPSS 5% CVSS 6.1
MEDIUM POC This Month

An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Redis Code Injection Python
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Medis version 0.6.1 and earlier contains a XSS vulnerability evolving into code execution due to enabled nodeIntegration for the renderer process vulnerability in Key name parameter on new key. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Redis XSS RCE +1
NVD GitHub
EPSS 7% CVSS 9.8
CRITICAL POC PATCH Act Now

An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2, leading to a failure of bounds checking. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Integer Overflow Redis Buffer Overflow +3
NVD GitHub
EPSS 59% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2 because of stack-based buffer overflows. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Redis Memory Corruption Buffer Overflow +3
NVD GitHub
EPSS 3% CVSS 8.4
HIGH POC PATCH This Week

Buffer overflow in redis-cli of Redis before 4.0.10 and 5.x before 5.0 RC3 allows an attacker to achieve code execution and escalate to higher privileges via a crafted command line. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Redis RCE Buffer Overflow
NVD GitHub Exploit-DB
EPSS 24% CVSS 7.5
HIGH POC PATCH THREAT This Week

Type confusion in the xgroupCommand function in t_stream.c in redis-server in Redis before 5.0 allows remote attackers to cause denial-of-service via an XGROUP command in which the key is not a. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Redis Information Disclosure
NVD GitHub Exploit-DB
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Redis Code Injection RCE +1
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Redis-store <=v1.3.0 allows unsafe objects to be loaded from redis. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization Redis Redis Store
NVD GitHub
EPSS 0% CVSS 7.4
HIGH This Week

networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" because it lacks a check for POST and Host: strings, which are not valid in the Redis protocol (but commonly occur when an attack. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Redis Information Disclosure
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

The clusterLoadConfig function in cluster.c in Redis 4.0.2 allows attackers to cause a denial of service (out-of-bounds array index and application crash) or possibly have unspecified other impact by. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Denial Of Service Redis
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

The _write_config function in trove/guestagent/datastore/experimental/mongodb/service.py, reset_configuration function in trove/guestagent/datastore/experimental/postgresql/service/config.py,. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Redis PostgreSQL Information Disclosure +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in Hanwha Techwin Smart Security Manager Versions 1.5 and prior. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

RCE Redis CSRF +2
NVD
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Redis Memory Corruption Buffer Overflow +1
NVD GitHub
EPSS 0% CVSS 3.3
LOW PATCH Monitor

linenoise, as used in Redis before 3.2.3, uses world-readable permissions for .rediscli_history, which allows local users to obtain sensitive information by reading the file. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Redis Information Disclosure Debian Linux
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC This Week

Integer overflow in the getnum function in lua_struct.c in Redis 2.8.x before 2.8.24 and 3.0.x before 3.0.6 allows context-dependent attackers with permission to run Lua code in a Redis session to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Integer Overflow Denial Of Service Redis +5
NVD GitHub
EPSS 8% CVSS 10.0
CRITICAL POC Act Now

Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Redis RCE Debian Linux
NVD GitHub
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy