Code in redis | CVE-2015-4335

Threat Intelligence

1.81% (88^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-UBUNTU1604-REDIS-626372
published9 Jun 2015
disclosed9 Jun 2015

Report a new vulnerability Found a mistake?

Introduced: 9 Jun 2015

CVE-2015-4335 (opens in a new tab) CWE-17 (opens in a new tab)

Amendment

The Ubuntu security team deemed this advisory irrelevant for Ubuntu:16.04.

NVD Description

Note: Versions mentioned in the description apply only to the upstream redis package and not the redis package as distributed by Ubuntu.

Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.

References

http://people.ubuntu.com/~ubuntu-security/cve/CVE-2015-4335
https://groups.google.com/forum/#%21msg/redis-db/4Y6OqK8gEyk/Dg-5cejl-eUJ
https://groups.google.com/forum/#!msg/redis-db/4Y6OqK8gEyk/Dg-5cejl-eUJ
http://www.debian.org/security/2015/dsa-3279
https://security-tracker.debian.org/tracker/CVE-2015-4335
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162094.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162146.html
https://security.gentoo.org/glsa/201702-16
https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411
http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/
http://lists.opensuse.org/opensuse-updates/2015-10/msg00014.html
http://www.openwall.com/lists/oss-security/2015/06/04/12
http://www.openwall.com/lists/oss-security/2015/06/04/8
http://www.openwall.com/lists/oss-security/2015/06/05/3
http://rhn.redhat.com/errata/RHSA-2015-1676.html
http://www.securityfocus.com/bid/75034

Code The advisory has been revoked - it doesn't affect any version of package redis (opens in a new tab)