Databases : Redis Unix Socket Permission Access Bypass Vulnerability (GHSA-ghmp-889m-7cvx)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.104997

Kategorie: Databases

Titel: Redis Unix Socket Permission Access Bypass Vulnerability (GHSA-ghmp-889m-7cvx)

Zusammenfassung: Redis is prone to a vulnerability that allows to bypass desired; Unix socket permissions on startup.

Beschreibung: Summary:
Redis is prone to a vulnerability that allows to bypass desired
Unix socket permissions on startup.

Vulnerability Insight:
On startup, Redis begins listening on a Unix socket before
adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used,
this creates a race condition that enables, during a short period of time, another process to
establish an otherwise unauthorized connection.

Affected Software/OS:
Redis versions starting from 2.6.0-RC1 and prior to 6.2.14,
7.0.x prior to 7.0.14 and 7.2.x prior to 7.2.2.

Solution:
Update to version 6.2.14, 7.0.14, 7.2.2 or later.

It is also possible to work around the problem by disabling Unix sockets, starting Redis with a
restrictive umask, or storing the Unix socket file in a protected directory.

CVSS Score:
2.4

CVSS Vector:
AV:L/AC:H/Au:S/C:P/I:P/A:N

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2023-45145
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/464JPNBWE433ZGYXO3KN72VR3KJPWHAW/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNEK2K4IE7MPKRD6H36JXZMJKYS6I5GQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZMGTTV5XM4LA66FSIJSETNBBRRPJYOQ/
https://github.com/redis/redis/commit/03345ddc7faf7af079485f2cbe5d17a1611cbce1
https://github.com/redis/redis/security/advisories/GHSA-ghmp-889m-7cvx
https://lists.debian.org/debian-lts-announce/2023/10/msg00032.html

Copyright Copyright (C) 2023 Greenbone AG

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.104997
Kategorie:	Databases
Titel:	Redis Unix Socket Permission Access Bypass Vulnerability (GHSA-ghmp-889m-7cvx)
Zusammenfassung:	Redis is prone to a vulnerability that allows to bypass desired; Unix socket permissions on startup.
Beschreibung:	Summary: Redis is prone to a vulnerability that allows to bypass desired Unix socket permissions on startup. Vulnerability Insight: On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. Affected Software/OS: Redis versions starting from 2.6.0-RC1 and prior to 6.2.14, 7.0.x prior to 7.0.14 and 7.2.x prior to 7.2.2. Solution: Update to version 6.2.14, 7.0.14, 7.2.2 or later. It is also possible to work around the problem by disabling Unix sockets, starting Redis with a restrictive umask, or storing the Unix socket file in a protected directory. CVSS Score: 2.4 CVSS Vector: AV:L/AC:H/Au:S/C:P/I:P/A:N
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2023-45145 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/464JPNBWE433ZGYXO3KN72VR3KJPWHAW/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNEK2K4IE7MPKRD6H36JXZMJKYS6I5GQ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZMGTTV5XM4LA66FSIJSETNBBRRPJYOQ/ https://github.com/redis/redis/commit/03345ddc7faf7af079485f2cbe5d17a1611cbce1 https://github.com/redis/redis/security/advisories/GHSA-ghmp-889m-7cvx https://lists.debian.org/debian-lts-announce/2023/10/msg00032.html
Copyright	Copyright (C) 2023 Greenbone AG