CVE-2023-45145

CVSS V2 None CVSS V3 None

Description

Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to upgrade, it is possible to work around the problem by disabling Unix sockets, starting Redis with a restrictive umask, or storing the Unix socket file in a protected directory.

Overview

CVE ID
CVE-2023-45145

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2023-10-18T20:17:08.588Z

Last Modified Date
2023-10-18T20:17:08.588Z

Weakness Enumerations

CWE	URL
CWE-668	http://cwe.mitre.org/data/definitions/668.html

References

Reference URL	Reference Tags
https://github.com/redis/redis/security/advisories/GHSA-ghmp-889m-7cvx	x_refsource_CONFIRM
https://github.com/redis/redis/commit/03345ddc7faf7af079485f2cbe5d17a1611cbce1	x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2023/10/msg00032.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/464JPNBWE433ZGYXO3KN72VR3KJPWHAW/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNEK2K4IE7MPKRD6H36JXZMJKYS6I5GQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZMGTTV5XM4LA66FSIJSETNBBRRPJYOQ/
https://security.netapp.com/advisory/ntap-20231116-0014/

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-45145
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45145

History

Created	Old Value	New Value	Data Type	Notes
2024-06-25 10:19:07				Added to TrackCVE