漏洞标题
Redis Unix-domain socket 可能在特定时间窗口内以错误的权限暴露。
漏洞描述信息
Redis Unix域套接字可能在短时间内以错误的权限暴露。
CVSS信息
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N
漏洞类别
使用共享资源的并发执行不恰当同步问题(竞争条件)
漏洞标题
Redis Unix-domain socket may have be exposed with the wrong permissions for a short time window.
漏洞描述信息
Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to upgrade, it is possible to work around the problem by disabling Unix sockets, starting Redis with a restrictive umask, or storing the Unix socket file in a protected directory.
CVSS信息
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
漏洞类别
将资源暴露给错误范围
漏洞标题
Redis Labs Redis 安全漏洞
漏洞描述信息
Redis Labs Redis是美国Redis Labs公司的一套开源的使用ANSI C编写、支持网络、可基于内存亦可持久化的日志型、键值(Key-Value)存储数据库,并提供多种语言的API。 Redis 2.6.0-rc1版本及之后版本存在安全漏洞,该漏洞源于权限管理不当。
CVSS信息
N/A
漏洞类别
其他