{
  "threat_severity" : "Important",
  "public_date" : "2024-01-09T00:00:00Z",
  "bugzilla" : {
    "description" : "redis: Heap Buffer Overflow may lead to potential remote code execution",
    "id" : "2257454",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2257454"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-122",
  "details" : [ "Redis is an in-memory database that persists on disk. Redis incorrectly handles resizing of memory buffers which can result in integer overflow that leads to heap overflow and potential remote code execution. This issue has been patched in version 7.0.15 and 7.2.4.", "A flaw was found in Redis. When processing a certain sequence of payloads, Redis may incorrectly handle the resizing of memory buffers, leading to a heap-based buffer overflow, potentially resulting in a denial of service or remote code execution." ],
  "statement" : "The redis package, as shipped with Red Hat Enterprise Linux 8, 9, and RHSCL is not affected by this vulnerability because the vulnerable code was introduced in a newer version of redis. However, the redis:7 module as shipped with Red Hat Enterprise Linux 9.3 is affected.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-03-05T00:00:00Z",
    "advisory" : "RHEA-2024:1143",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "redis:7-9030020240206103833.9"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "3scale-amp-backend-container",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Not affected",
    "package_name" : "3scale-amp-system-container",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 1.2",
    "fix_state" : "Out of support scope",
    "package_name" : "ansible-tower",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "redis:6/redis",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "redis",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "redis",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Affected",
    "package_name" : "quay/quay-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-redis6-redis",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-41056\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-41056\nhttps://github.com/redis/redis/security/advisories/GHSA-xr47-pcmx-fq2m" ],
  "name" : "CVE-2023-41056",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}