CVE-2023-45145
LOWRedis 2.6.0-6.2.13 - Unauthenticated Unauthorized Connection via Unix Socket Permission Race Condition
Title source: llmDescription
Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to upgrade, it is possible to work around the problem by disabling Unix sockets, starting Redis with a restrictive umask, or storing the Unix socket file in a protected directory.
References (7)
Core 7
Core References
Mailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00032.html
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/464JPNBWE433ZGYXO3KN72VR3KJPWHAW/
Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]/message/BNEK2K4IE7MPKRD6H36JXZMJKYS6I5GQ/
Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]/message/DZMGTTV5XM4LA66FSIJSETNBBRRPJYOQ/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20231116-0014/
Vendor Advisory x_refsource_confirm
https://github.com/redis/redis/security/advisories/GHSA-ghmp-889m-7cvx
Patch x_refsource_misc
https://github.com/redis/redis/commit/03345ddc7faf7af079485f2cbe5d17a1611cbce1
Scores
CVSS v3
3.6
EPSS
0.0044
EPSS Percentile
35.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-668
Status
published
Products (6)
debian/debian_linux
10.0
fedoraproject/fedora
37
fedoraproject/fedora
38
fedoraproject/fedora
39
redis/redis
2.6.0 rc1
redis/redis
2.6.0 - 6.2.14
Published
Oct 18, 2023
Tracked Since
Feb 18, 2026