{ "threat_severity" : "Important", "public_date" : "2025-10-03T19:27:23Z", "bugzilla" : { "description" : "Redis: Redis Lua Use-After-Free may lead to remote code execution", "id" : "2401324", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2401324" }, "cvss3" : { "cvss3_base_score" : "8.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-416", "details" : [ "Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This issue is fixed in version 8.2.2. To workaround this issue without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.", "A vulnerability found in Redis where a flaw in the Lua scripting engine can trigger a use-after-free condition. An authenticated attacker can exploit this by running a specially crafted Lua script, potentially resulting in remote code execution (RCE) within the Redis process." ], "statement" : "This vulnerability should be rated Important rather than Moderate because it introduces a memory-safety defect in Redis’s Lua subsystem that can be weaponized for remote code execution (RCE). An authenticated actor with permission to run Lua can craft scripts that trigger a use-after-free in the parser/stack-management code, giving precise control over freed memory and enabling arbitrary code execution inside the redis-server process. That risk is fundamentally different from a typical moderate issue (e.g., a crash or limited denial-of-service): successful exploitation directly compromises the server runtime and all in-memory contents—cached data, session tokens, and application state—rather than merely disrupting service. Because Redis commonly runs with elevated privileges and is a trusted core component in application architectures, an RCE in the server process undermines confidentiality, integrity, and availability across dependent services. Authenticated attackability, trivial exploitation via standard commands (EVAL/EVALSHA), and the potential for full-process compromise elevate CVE-2025-49844 to Important severity.\nThis flaw exists only in the Redis server implementation; \nRedis client libraries (Python, Node.js, Rust, etc.) are not affected by this vulnerability, and it only exists in the Redis server’s embedded Lua engine where scripts execute. Client libraries merely transmit EVAL/EVALSHA to the server.\nRed Hat Satellite does not ship the Redis server, and the Redis client libraries it includes (such as python-redis, python-aioredis and rubygem-redis) are not impacted by this vulnerability. While Satellite consume the Redis package from the underlying RHEL system, which is affected, the Redis service in Satellite is bound only to the local interface and is accessible solely by internal components like Pulp and Dynflow. Since vulnerability requires sending crafted Lua payloads to the Redis command interface, and no external or untrusted clients can connect, the effective exposure within Satellite is nullified.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-11-04T00:00:00Z", "advisory" : "RHSA-2025:19675", "cpe" : "cpe:/o:redhat:enterprise_linux:10.0", "package" : "valkey-0:8.0.6-1.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-11-24T00:00:00Z", "advisory" : "RHSA-2025:21936", "cpe" : "cpe:/o:redhat:enterprise_linux:10.1", "package" : "valkey-0:8.0.6-2.el10_1" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-10-29T00:00:00Z", "advisory" : "RHSA-2025:19238", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "redis:6-8100020251007064521.489197e6" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-10-30T00:00:00Z", "advisory" : "RHSA-2025:19318", "cpe" : "cpe:/a:redhat:rhel_aus:8.4", "package" : "redis:6-8040020251022121413.522a0ee4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2025-10-30T00:00:00Z", "advisory" : "RHSA-2025:19318", "cpe" : "cpe:/a:redhat:rhel_eus_long_life:8.4", "package" : "redis:6-8040020251022121413.522a0ee4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-10-29T00:00:00Z", "advisory" : "RHSA-2025:19239", "cpe" : "cpe:/a:redhat:rhel_aus:8.6", "package" : "redis:6-8060020251022110425.ad008a3a" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-10-29T00:00:00Z", "advisory" : "RHSA-2025:19239", "cpe" : "cpe:/a:redhat:rhel_tus:8.6", "package" : "redis:6-8060020251022110425.ad008a3a" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-10-29T00:00:00Z", "advisory" : "RHSA-2025:19239", "cpe" : "cpe:/a:redhat:rhel_e4s:8.6", "package" : "redis:6-8060020251022110425.ad008a3a" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-11-03T00:00:00Z", "advisory" : "RHSA-2025:19399", "cpe" : "cpe:/a:redhat:rhel_tus:8.8", "package" : "redis:6-8080020251022085755.63b34585" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-11-03T00:00:00Z", "advisory" : "RHSA-2025:19399", "cpe" : "cpe:/a:redhat:rhel_e4s:8.8", "package" : "redis:6-8080020251022085755.63b34585" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-10-29T00:00:00Z", "advisory" : "RHSA-2025:19237", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "redis-0:6.2.20-1.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-10-30T00:00:00Z", "advisory" : "RHSA-2025:19345", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "redis:7-9060020251007094800.9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20926", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "redis-0:6.2.20-2.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-11T00:00:00Z", "advisory" : "RHSA-2025:20955", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "redis:7-9070020251016095039.9" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-11-24T00:00:00Z", "advisory" : "RHSA-2025:21916", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "valkey-0:8.0.6-2.el9_7" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-10-23T00:00:00Z", "advisory" : "RHSA-2025:18997", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "redis-0:6.2.6-1.el9_0.5" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-10-23T00:00:00Z", "advisory" : "RHSA-2025:19086", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "redis-0:6.2.7-1.el9_2.5" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-10-21T00:00:00Z", "advisory" : "RHSA-2025:18931", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "redis:7-9040020251015162111.9" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-10-23T00:00:00Z", "advisory" : "RHSA-2025:18996", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "redis-0:6.2.7-1.el9_4.5" }, { "product_name" : "Red Hat OpenShift GitOps 1.16", "release_date" : "2025-12-15T00:00:00Z", "advisory" : "RHSA-2025:23207", "cpe" : "cpe:/a:redhat:openshift_gitops:1.16::el8", "package" : "openshift-gitops-1/gitops-rhel8-operator:1.16" }, { "product_name" : "Red Hat OpenShift GitOps 1.17", "release_date" : "2025-12-15T00:00:00Z", "advisory" : "RHSA-2025:23206", "cpe" : "cpe:/a:redhat:openshift_gitops:1.17::el8", "package" : "openshift-gitops-1/gitops-rhel8-operator:1.17" }, { "product_name" : "Red Hat OpenShift GitOps 1.18", "release_date" : "2025-12-15T00:00:00Z", "advisory" : "RHSA-2025:23203", "cpe" : "cpe:/a:redhat:openshift_gitops:1.18::el8", "package" : "openshift-gitops-1/gitops-rhel8-operator:1.18" } ], "package_state" : [ { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/cluster-logging-operator-bundle", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/cluster-logging-rhel9-operator", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/eventrouter-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/fluentd-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/log-file-metric-exporter-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/logging-view-plugin-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/vector-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/cluster-logging-operator-bundle", "cpe" : "cpe:/a:redhat:logging:6" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/cluster-logging-rhel9-operator", "cpe" : "cpe:/a:redhat:logging:6" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/eventrouter-rhel9", "cpe" : "cpe:/a:redhat:logging:6" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/log-file-metric-exporter-rhel9", "cpe" : "cpe:/a:redhat:logging:6" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/vector-rhel9", "cpe" : "cpe:/a:redhat:logging:6" }, { "product_name" : "Red Hat AI Inference Server", "fix_state" : "Not affected", "package_name" : "rhaiis-preview/vllm-cuda-rhel9", "cpe" : "cpe:/a:redhat:ai_inference_server:3" }, { "product_name" : "Red Hat AI Inference Server", "fix_state" : "Not affected", "package_name" : "rhaiis/vllm-cuda-rhel9", "cpe" : "cpe:/a:redhat:ai_inference_server:3" }, { "product_name" : "Red Hat AI Inference Server", "fix_state" : "Not affected", "package_name" : "rhaiis/vllm-rocm-rhel9", "cpe" : "cpe:/a:redhat:ai_inference_server:3" }, { "product_name" : "Red Hat AI Inference Server", "fix_state" : "Not affected", "package_name" : "rhaiis/vllm-spyre-rhel9", "cpe" : "cpe:/a:redhat:ai_inference_server:3" }, { "product_name" : "Red Hat AI Inference Server", "fix_state" : "Not affected", "package_name" : "rhaiis/vllm-tpu-rhel9", "cpe" : "cpe:/a:redhat:ai_inference_server:3" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-24/de-minimal-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-24/de-minimal-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-24/de-supported-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-24/de-supported-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-24/ee-minimal-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-24/ee-minimal-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-24/ee-supported-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-24/ee-supported-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-24/platform-resource-runner-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/aap-cloud-metrics-collector-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/ansible-dev-tools-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/de-minimal-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/de-minimal-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/de-supported-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/de-supported-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/ee-cloud-services-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/ee-minimal-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/ee-minimal-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/ee-supported-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/ee-supported-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/lightspeed-chatbot-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-25/platform-resource-runner-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-26/ansible-dev-tools-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-26/de-minimal-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-26/de-supported-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-26/ee-minimal-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-26/ee-supported-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-26/platform-resource-runner-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform/ee-minimal-rhel8", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform/ee-minimal-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-tech-preview/ansible-devspaces-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "ansible-automation-platform-tech-preview/automation-dashboard-rhel9", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "automation-controller", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Connectivity Link 1", "fix_state" : "Not affected", "package_name" : "rhcl-1/limitador-rhel9", "cpe" : "cpe:/a:redhat:connectivity_link:1" }, { "product_name" : "Red Hat Developer Hub", "fix_state" : "Not affected", "package_name" : "rhdh/rhdh-hub-rhel9", "cpe" : "cpe:/a:redhat:rhdh:1" }, { "product_name" : "Red Hat Discovery 1", "fix_state" : "Not affected", "package_name" : "discovery/discovery-server-rhel9", "cpe" : "cpe:/a:redhat:discovery:1" }, { "product_name" : "Red Hat Discovery 2", "fix_state" : "Not affected", "package_name" : "discovery/discovery-server-rhel9", "cpe" : "cpe:/a:redhat:discovery:2::el9" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI)", "fix_state" : "Not affected", "package_name" : "rhelai1/bootc-amd-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI)", "fix_state" : "Not affected", "package_name" : "rhelai1/bootc-azure-amd-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI)", "fix_state" : "Not affected", "package_name" : "rhelai1/instructlab-amd-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-feature-server-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-llama-stack-core-rhel9", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-ironic-agent-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-ironic-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Not affected", "package_name" : "argocd-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Not affected", "package_name" : "argocd-rhel9", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-aodh-api", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-aodh-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-aodh-evaluator", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-aodh-listener", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-aodh-notifier", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-barbican-api", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-barbican-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-barbican-keystone-listener", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-barbican-worker", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-ceilometer-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-ceilometer-central", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-ceilometer-compute", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-ceilometer-ipmi", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-ceilometer-notification", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-cinder-api", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-cinder-backup", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-cinder-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-cinder-scheduler", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-cinder-volume", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-collectd", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-dependencies", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-ec2-api", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-glance-api", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-glance-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-gnocchi-api", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-gnocchi-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-gnocchi-metricd", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-gnocchi-statsd", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-heat-all", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-heat-api", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-heat-api-cfn", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-heat-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-heat-engine", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-horizon", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-horizon-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-ironic-api", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-ironic-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-ironic-conductor", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-ironic-inspector", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-ironic-neutron-agent", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-ironic-pxe", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-keystone", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-keystone-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-manila-api", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-manila-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-manila-scheduler", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-manila-share", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-mistral-api", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-mistral-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-mistral-engine", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-mistral-event-engine", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-mistral-executor", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-neutron-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-neutron-dhcp-agent", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-neutron-l3-agent", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-neutron-metadata-agent", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-neutron-metadata-agent-ovn", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-neutron-openvswitch-agent", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-neutron-server", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-neutron-server-opendaylight", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-neutron-server-ovn", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-neutron-sriov-agent", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-nova-api", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-nova-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-nova-compute", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-nova-compute-ironic", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-nova-conductor", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-nova-consoleauth", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-nova-libvirt", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-nova-novncproxy", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-nova-placement-api", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-nova-scheduler", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-octavia-api", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-octavia-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-octavia-health-manager", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-octavia-housekeeping", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-octavia-worker", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-panko-api", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-panko-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-sahara-api", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-sahara-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-sahara-engine", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-swift-account", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-swift-base", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-swift-container", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-swift-object", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-swift-proxy-server", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-tempest", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "rhosp13/openstack-zaqar", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Not affected", "package_name" : "quay/quay-rhel8", "cpe" : "cpe:/a:redhat:quay:3" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "python-aioredis", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "python-redis", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "rubygem-redis", "cpe" : "cpe:/a:redhat:satellite:6" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Not affected", "package_name" : "satellite/iop-advisor-engine-rhel9", "cpe" : "cpe:/a:redhat:satellite:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-49844\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-49844\nhttps://github.com/redis/redis/commit/d5728cb5795c966c5b5b1e0f0ac576a7e69af539\nhttps://github.com/redis/redis/releases/tag/8.2.2\nhttps://github.com/redis/redis/security/advisories/GHSA-4789-qfc9-5f9q\nhttps://redis.io/blog/security-advisory-cve-2025-49844/" ], "name" : "CVE-2025-49844", "mitigation" : { "value" : "No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.\nTo reduce the risk, restricting network access to trusted hosts, enforcing strong authentication and protected-mode, disabling or limiting Lua scripting where possible can be beneficial and apply least-privilege ACLs to reduce who can run scripting commands, keep instances non-public with firewalls/VPCs, and follow Redis hardening guidance to minimize exposure.", "lang" : "en:us" }, "csaw" : false }