CVE Vulnerabilities

CVE-2015-8080

Published: Apr 13, 2016 | Modified: Aug 08, 2018
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P
RedHat/V2
6.5 MODERATE
AV:N/AC:L/Au:S/C:P/I:P/A:P
RedHat/V3
Ubuntu

Integer overflow in the getnum function in lua_struct.c in Redis 2.8.x before 2.8.24 and 3.0.x before 3.0.6 allows context-dependent attackers with permission to run Lua code in a Redis session to cause a denial of service (memory corruption and application crash) or possibly bypass intended sandbox restrictions via a large number, which triggers a stack-based buffer overflow.

Affected Software

Name Vendor Start Version End Version
Debian_linux Debian 8.0 8.0
Debian_linux Debian 9.0 9.0
Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 RedHat redis-0:2.8.24-1.el7ost *
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 RedHat redis-0:2.8.24-1.el7ost *
Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7 RedHat redis-0:2.8.24-1.el7ost *
Redis Ubuntu artful *
Redis Ubuntu precise *
Redis Ubuntu trusty *
Redis Ubuntu trusty/esm *
Redis Ubuntu upstream *
Redis Ubuntu vivid *
Redis Ubuntu wily *
Redis Ubuntu yakkety *
Redis Ubuntu zesty *

References