A heap-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By carefully corrupting a hyperloglog using the SETRANGE command, an attacker could trick Redis interpretation of dense HLL encoding to write up to 3 bytes beyond the end of a heap-allocated buffer.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
History
21 Nov 2024, 04:18
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.securityfocus.com/bid/109290 - Third Party Advisory, VDB Entry | |
References | () https://access.redhat.com/errata/RHSA-2019:1819 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2019:1860 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2019:2002 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2019:2506 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2019:2508 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2019:2621 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2019:2630 - Third Party Advisory | |
References | () https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10192 - Issue Tracking, Third Party Advisory | |
References | () https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES - Release Notes, Vendor Advisory | |
References | () https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES - Release Notes, Vendor Advisory | |
References | () https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES - Release Notes, Vendor Advisory | |
References | () https://seclists.org/bugtraq/2019/Jul/19 - Mailing List, Third Party Advisory | |
References | () https://security.gentoo.org/glsa/201908-04 - Third Party Advisory | |
References | () https://usn.ubuntu.com/4061-1/ - Third Party Advisory | |
References | () https://www.debian.org/security/2019/dsa-4480 - Third Party Advisory | |
References | () https://www.oracle.com/security-alerts/cpujul2020.html - Patch, Third Party Advisory |
Information
Published : 2019-07-11 19:15
Updated : 2024-11-21 04:18
NVD link : CVE-2019-10192
Mitre link : CVE-2019-10192
CVE.ORG link : CVE-2019-10192
JSON object : View
Products Affected
redhat
- openstack
- enterprise_linux
- enterprise_linux_server_aus
- enterprise_linux_eus
- enterprise_linux_server_tus
- software_collections
canonical
- ubuntu_linux
redislabs
- redis
oracle
- communications_operations_monitor
debian
- debian_linux