{
  "threat_severity" : "Moderate",
  "public_date" : "2024-10-07T19:51:04Z",
  "bugzilla" : {
    "description" : "redis: Denial-of-service due to malformed ACL selectors in Redis",
    "id" : "2317053",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2317053"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem exists in Redis 7 prior to versions 7.2.6 and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "A flaw was found in Redis. This flaw allows an authenticated attacker with sufficient privileges to create a malformed ACL selector that triggers a server panic and subsequent denial of service when accessed." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-12-05T00:00:00Z",
    "advisory" : "RHSA-2024:10869",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "redis:7-9050020241104103753.9"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "3scale-amp-system-container",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat Discovery 1",
    "fix_state" : "Not affected",
    "package_name" : "discovery-server-container",
    "cpe" : "cpe:/a:redhat:discovery:1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "redis:6/redis",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "redis",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Quay 3",
    "fix_state" : "Not affected",
    "package_name" : "quay/quay-rhel8",
    "cpe" : "cpe:/a:redhat:quay:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-31227\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-31227\nhttps://github.com/redis/redis/commit/b351d5a3210e61cc3b22ba38a723d6da8f3c298a\nhttps://github.com/redis/redis/security/advisories/GHSA-38p4-26x2-vqhh" ],
  "name" : "CVE-2024-31227",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}