{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-31294", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-30T18:29:51.110Z", "dateReserved": "2021-04-15T00:00:00", "datePublished": "2023-07-15T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-14T00:00:00"}, "descriptions": [{"lang": "en", "value": "Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/redis/redis/issues/8712"}, {"url": "https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f"}, {"url": "https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48"}, {"url": "https://security.netapp.com/advisory/ntap-20230814-0007/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:55:53.538Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/redis/redis/issues/8712", "tags": ["x_transferred"]}, {"url": "https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f", "tags": ["x_transferred"]}, {"url": "https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230814-0007/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-30T18:29:37.407639Z", "id": "CVE-2021-31294", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-30T18:29:51.110Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/redis/redis/issues/8712", "tags": ["x_transferred"]}, {"url": "https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f", "tags": ["x_transferred"]}, {"url": "https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230814-0007/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:55:53.538Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-31294", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-30T18:29:37.407639Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-30T18:29:43.740Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/redis/redis/issues/8712"}, {"url": "https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f"}, {"url": "https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48"}, {"url": "https://security.netapp.com/advisory/ntap-20230814-0007/"}], "descriptions": [{"lang": "en", "value": "Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-14T00:00:00"}}}, "cveMetadata": {"cveId": "CVE-2021-31294", "state": "PUBLISHED", "dateUpdated": "2024-10-30T18:29:51.110Z", "dateReserved": "2021-04-15T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-07-15T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*", "matchCriteriaId": "28E377D7-3E6B-40DE-B628-CABF8CFF59AB", "versionEndExcluding": "6.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this."}], "id": "CVE-2021-31294", "lastModified": "2024-11-21T06:05:24.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-15T23:15:09.203", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/redis/redis/issues/8712"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20230814-0007/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/redis/redis/issues/8712"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20230814-0007/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "redis: an assertion failure in a primary server by sending a non-administrative command", "id": "2223393", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2223393"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-617", "details": ["Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this.", "A flaw was found in the Redis package. If a replica sends a SET command to its master during a failover, the master crashes on assertion."], "name": "CVE-2021-31294", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-amp-backend-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "3scale-amp-system-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/search-api-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Affected", "package_name": "ansible-tower", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "redis:6/redis", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "redis", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "redis", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "openstack-redis-base-container", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Will not fix", "package_name": "openstack-redis-container", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:17.0", "fix_state": "Not affected", "package_name": "openstack-redis-container", "product_name": "Red Hat OpenStack Platform 17.0"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Not affected", "package_name": "openstack-redis-container", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Not affected", "package_name": "openstack-redis-container", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite:el8/rubygem-gitlab-sidekiq-fetcher", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "tfm-rubygem-gitlab-sidekiq-fetcher", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-redis6-redis", "product_name": "Red Hat Software Collections"}], "public_date": "2023-07-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-31294\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-31294\nhttps://github.com/redis/redis/issues/8712"], "statement": "Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-617: Reachable Assertion vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nRed Hat enforces strict input validation to ensure all user-supplied data conforms to expected formats and boundaries, reducing the likelihood that malformed input could trigger unintended application states. Assertions and other insecure constructs are identified through static code analysis and peer reviews, and are excluded from production builds to prevent exposure of internal logic or disruption of system behavior. Error-handling routines ensure that invalid conditions are managed gracefully without causing unpredictable behavior or system instability. Additionally, system components are designed to fail in a known, controlled state, minimizing the risk and impact of reachable assertion conditions in the environment.", "threat_severity": "Moderate"}