QwikSec

Security Database

CVE

CWE

Training

CVE-2022-35951

Published: Sep 23, 2022

Modified: Apr 23, 2025

PUBLISHED

CVSS v3.1

7.0

HIGH

Description

Redis is an in-memory database that persists on disk. Versions 7.0.0 and above, prior to 7.0.5 are vulnerable to an Integer Overflow. Executing an `XAUTOCLAIM` command on a stream key in a specific state, with a specially crafted `COUNT` argument may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. This has been patched in Redis version 7.0.5. No known workarounds exist.

Vendor	Product	Versions
redis	redis	affected `>= 7.0.0, < 7.0.5`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/redis/redis/security/advisories/GHSA-5gc4-76rx-22c9

FEDORA-2022-de7b3ceca6

vendor-advisory

vendor-advisory

https://security.netapp.com/advisory/ntap-20221020-0005/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.