Redis is an in-memory database that persists on disk. Authenticated users can use string matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. The problem is fixed in Redis versions 6.0.18, 6.2.11, 7.0.9.
An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Redis | Redis | * | 6.0.18 (excluding) |
| Redis | Redis | 6.2.0 (including) | 6.2.11 (excluding) |
| Redis | Redis | 7.0.0 (including) | 7.0.9 (excluding) |
| Red Hat Enterprise Linux 8 | RedHat | redis:6-8100020250113083959.489197e6 | * |
| Redis | Ubuntu | bionic | * |
| Redis | Ubuntu | esm-apps/bionic | * |
| Redis | Ubuntu | esm-apps/focal | * |
| Redis | Ubuntu | esm-apps/jammy | * |
| Redis | Ubuntu | esm-apps/xenial | * |
| Redis | Ubuntu | esm-infra-legacy/trusty | * |
| Redis | Ubuntu | focal | * |
| Redis | Ubuntu | jammy | * |
| Redis | Ubuntu | kinetic | * |
| Redis | Ubuntu | lunar | * |
| Redis | Ubuntu | trusty | * |
| Redis | Ubuntu | trusty/esm | * |
| Redis | Ubuntu | upstream | * |
| Redis | Ubuntu | xenial | * |