GLSA 202210-32: hiredis/hiredis-py Buffer Overflow Vulnerability (CVE-2021-32765)

Key Information Vulnerability Description Vulnerability Name: hiredis, hiredis-py: Multiple Vulnerabilities Vulnerability ID: GLSA 202210-32 Release Date: October 31, 2022 Last Revised: October 31, 2022: 1 Severity: normal Exploitability: remote Related Vulnerability IDs: - 873079 - 816318 Affected Packages dev-libs/hiredis: - Affected versions: = 1.0.1 dev-python/hiredis: - Affected versions: = 2.0.0 Background hiredis is a minimal C client library for the Redis database. hiredis-py is a Python extension that wraps hiredis. Vulnerability Description When parsing protocol data, if the provided data is maliciously crafted or corrupted (array-like) replies, hiredis fails to check whether can be represented as . If not, and if the call itself does not perform this check, it results in a short allocation and subsequent buffer overflow. Impact Malicious Redis commands may lead to remote code execution. Solution All hiredis users should upgrade to the latest version: All hiredis-py users should upgrade to the latest version: References CVE-2021-32765

Goal Reached Thanks to every supporter — we hit 100%!

GLSA 202210-32: hiredis/hiredis-py Buffer Overflow Vulnerability (CVE-2021-32765)