Published: 04/10/2021 Updated: 07/12/2022

CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 580

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Hiredis is a minimalistic C client library for the Redis database. In affected versions Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing `multi-bulk` (array-like) replies, hiredis fails to check if `count * sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not, and the `calloc()` call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow. Users of hiredis who are unable to update may set the [maxelements](github.com/redis/hiredis#reader-max-array-elements) context option to a value small enough that no overflow is possible.

Vulnerable Product	Search on Vulmon	Subscribe to Product
redis hiredis
debian debian linux 9.0
netapp management services for element software and netapp hci -

Hiredis is a minimalistic C client library for the Redis database In affected versions Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data When parsing `multi-bulk` (array-like) replies, hiredis fails to check if `count * sizeof(redisReply*)` can be represented in `SIZE_MAX` If ...

Hiredis before version 101 is vulnurable to integer overflow if provided maliciously crafted or corrupted RESP mult-bulk protocol data When parsing multi-bulk (array-like) replies, hiredis fails to check if count * sizeof(redisReply*) can be represented in SIZE_MAX If it can not, and the calloc() call doesn't itself make this check, it would r ...

This Readme reflects the latest changed in the master branch See v100 for the Readme and documentation for the latest release (API/ABI history) HIREDIS Hiredis is a minimalistic C client library for the Redis database It is minimalistic because it just adds minimal support for the protocol, but at the same time it uses a high level printf-alike API in order to make it much

Minimalistic C client for Redis >= 1.2

This Readme reflects the latest changed in the master branch See v100 for the Readme and documentation for the latest release (API/ABI history) HIREDIS Hiredis is a minimalistic C client library for the Redis database It is minimalistic because it just adds minimal support for the protocol, but at the same time it uses a high level printf-alike API in order to make it much

CWE-190 https://wiki.sei.cmu.edu/confluence/display/c/MEM07-C.+Ensure+that+the+arguments+to+calloc%28%29%2C+when+multiplied%2C+do+not+wrap https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2 https://github.com/redis/hiredis/commit/76a7b10005c70babee357a7d0f2becf28ec7ed1e https://lists.debian.org/debian-lts-announce/2021/10/msg00007.html https://security.netapp.com/advisory/ntap-20211104-0003/https://security.gentoo.org/glsa/202210-32 https://nvd.nist.gov https://alas.aws.amazon.com/AL2/ALASREDIS6-2023-004.html https://github.com/redis/hiredis

CVE-2021-32765

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect