CVE-2022-35951: Redis flaw could lead to execute arbitrary code attacks

The maintainers of the Redis have pushed software updates to fix a high-impact security vulnerability. Tracked as CVE-2022-35951, the security flaw has a CVSS score of 7.0 and is described as a heap overflow in Redis 7.0 XAUTOCLAIM command’s COUNT argument.

Redis is often referred to as a data structures server. What this means is that Redis provides access to mutable data structures via a set of commands, which are sent using a server-client model with TCP sockets and a simple protocol. So different processes can query and modify the same data structures in a shared way.

Redis could allow a local authenticated attacker to execute arbitrary code on the system, caused by an integer overflow when executing a XAUTOCLAIM command on a stream key in a specific state. By using a specially-crafted COUNT argument, an attacker could exploit the CVE-2022-35951 vulnerability to execute arbitrary code on the system.

“Executing a XAUTOCLAIM command on a stream key in a specific state, with a specially crafted COUNT argument may cause an integer overflow, a subsequent heap overflow, and potentially lead to remote code execution. The problem affects Redis versions 7.0.0 or newer,” read the security advisory.

A researcher Xion (SeungHyun Lee) of KAIST GoN has been credited with reporting the flaw to Redis.

Users of the library are recommended to upgrade to Redis version 7.0.5 to mitigate any potential threats.