CVE-2019-10192

HIGH

Redis <3.2.13, <4.0.14, <5.0.4 - Buffer Overflow

Title source: llm

Description

A heap-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By carefully corrupting a hyperloglog using the SETRANGE command, an attacker could trick Redis interpretation of dense HLL encoding to write up to 3 bytes beyond the end of a heap-allocated buffer.

References (17)

Core 17

Core References

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2019/dsa-4480

Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq

https://seclists.org/bugtraq/2019/Jul/19

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/4061-1/

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/109290

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:1819

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:1860

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2002

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201908-04

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2508

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2506

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2621

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2630

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpujul2020.html

Release Notes, Vendor Advisory x_refsource_misc

https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES

Release Notes, Vendor Advisory x_refsource_misc

https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES

Release Notes, Vendor Advisory x_refsource_misc

https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES

Issue Tracking, Third Party Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10192

Scores

CVSS v3 7.2

EPSS 0.2073

EPSS Percentile 95.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-122 CWE-787

Status published

Products (21)

canonical/ubuntu_linux 16.04

canonical/ubuntu_linux 18.04

canonical/ubuntu_linux 19.04

debian/debian_linux 9.0

debian/debian_linux 10.0

oracle/communications_operations_monitor 3.4

oracle/communications_operations_monitor 4.1

redhat/enterprise_linux 8.0

redhat/enterprise_linux_eus 8.1

redhat/enterprise_linux_eus 8.2

... and 11 more

Published Jul 11, 2019

Tracked Since Feb 18, 2026