Vulnerability CVE-2023-45145: Information

Description

Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to upgrade, it is possible to work around the problem by disabling Unix sockets, starting Redis with a restrictive umask, or storing the Unix socket file in a protected directory.

Severity: LOW (3.6) Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-45145
Published: Oct. 19, 2023
Modified: Jan. 21, 2024
Error type identifier: CWE-668

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
redissisyphus7.2.3-alt17.2.4-alt1.1ALT-PU-2023-7052-1333827Fixed
redissisyphus_e2k7.2.3-alt17.2.4-alt1.1ALT-PU-2023-7151-1-Fixed
redissisyphus_riscv647.2.4-alt0.port7.2.4-alt0.portALT-PU-2024-3125-1-Fixed
redissisyphus_loongarch647.2.4-alt17.2.4-alt1.1ALT-PU-2024-1509-1-Fixed
redisp106.2.14-alt16.2.14-alt1ALT-PU-2023-7053-2333828Fixed
redisp10_e2k6.2.14-alt16.2.14-alt1ALT-PU-2023-7402-1-Fixed
redisp117.2.3-alt17.2.4-alt1.1ALT-PU-2023-7052-1333827Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/redis/redis/commit/03345ddc7faf7af079485f2cbe5d17a1611cbce1
  • Patch
https://github.com/redis/redis/security/advisories/GHSA-ghmp-889m-7cvx
  • Vendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00032.html
  • Mailing List
  • Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/464JPNBWE433ZGYXO3KN72VR3KJPWHAW/
  • Mailing List
  • Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNEK2K4IE7MPKRD6H36JXZMJKYS6I5GQ/
  • Mailing List
  • Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZMGTTV5XM4LA66FSIJSETNBBRRPJYOQ/
  • Mailing List
https://security.netapp.com/advisory/ntap-20231116-0014/
  • Third Party Advisory

    1. Configuration 1

      cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
      Start including
      7.2.0
      End excliding
      7.2.2
      cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
      Start including
      7.0.0
      End excliding
      7.0.14
      cpe:2.3:a:redis:redis:2.6.0:rc1:*:*:*:*:*:*
      cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
      Start including
      2.6.0
      End excliding
      6.2.14

      Configuration 2

      cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
      cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
      cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

      Configuration 3

      cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
Version: v24.5.3
Back to top