CVE-2023-28856
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-28856
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28856.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-28856
- Aliases
- Downstream
- Related
- Published
- 2023-04-18T21:15:09Z
- Modified
- 2025-10-10T04:30:27.839123Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Redis is an open source, in-memory database that persists on disk. Authenticated users can use the
HINCRBYFLOATcommand to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue. - References
-
- https://github.com/redis/redis/security/advisories/GHSA-hjv8-vjf6-wcr6
- https://lists.debian.org/debian-lts-announce/2023/04/msg00023.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EQ4DJSO4DMR55AWK6OPVJH5UTEB35R2Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPUTH7NBQTZDVJWFNUD24ZCS6NDUFYS6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQGKMKSQE67L32HE6W5EI2I2YKW5VWHI/
- https://security.netapp.com/advisory/ntap-20230601-0007/
- https://github.com/redis/redis/commit/bc7fe41e5857a0854d524e2a63a028e9394d2a5c
- https://github.com/redis/redis/pull/11149
Affected packages
Git / github.com/redis/redis
Affected ranges
- Type
- GIT
- Repo
- https://github.com/redis/redis
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
1.*
1.3.6
2.*
2.2-alpha0
2.2-alpha1
2.2-alpha2
2.2-alpha3
2.2-alpha4
2.2-alpha5
2.2-alpha6
2.2.0-rc1
2.3-alpha0
3.*
3.0-alpha0
v1.*
v1.3.10
v1.3.11
v1.3.12
v1.3.7
v1.3.8
v1.3.9
v2.*
v2.0.0-rc1
v2.1.1-watch
Other
vm-playpen
with-deprecated-diskstore
Database specific
{
"vanir_signatures": [
{
"source": "https://github.com/redis/redis/commit/bc7fe41e5857a0854d524e2a63a028e9394d2a5c",
"id": "CVE-2023-28856-38b41659",
"digest": {
"line_hashes": [
"57405584871899262086016017610265619809",
"205707702322636315792193608061836075174",
"147361045299368567821354545319049191855",
"237515320385344892240792858591057582825"
],
"threshold": 0.9
},
"target": {
"file": "src/t_hash.c"
},
"signature_type": "Line",
"deprecated": false,
"signature_version": "v1"
},
{
"source": "https://github.com/redis/redis/commit/bc7fe41e5857a0854d524e2a63a028e9394d2a5c",
"id": "CVE-2023-28856-b00e551a",
"digest": {
"length": 1246.0,
"function_hash": "94218052227217989572285703011581209673"
},
"target": {
"function": "hincrbyfloatCommand",
"file": "src/t_hash.c"
},
"signature_type": "Function",
"deprecated": false,
"signature_version": "v1"
}
]
}