Alpine: multiple redis packages: security update to 6.0.13-r0

high Tenable Cloud Security Plugin ID 406908

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and
message broker. An integer overflow bug in Redis version 6.0 or newer could be exploited using the
`STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. The problem
is fixed in version 6.2.3 and 6.0.13. An additional workaround to mitigate the problem without patching
the redis-server executable is to use ACL configuration to prevent clients from using the `STRALGO LCS`
command. (CVE-2021-29477)

- Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and
integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15,
and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can
potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code
execution. The vulnerability involves changing the default `proto-max-bulk-len` configuration parameter to
a very large value and constructing specially crafted commands bit commands. This problem only affects
Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions 5.0.`3m 6.0.15, and 6.2.5
contain patches for this issue. An additional workaround to mitigate the problem without patching the
`redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration
parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.
(CVE-2021-32761)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-29477

https://security.alpinelinux.org/vuln/CVE-2021-32761

Plugin Details

Severity: High

ID: 406908

Version: Revision 1.27

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2021-29477

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 5/4/2021

Reference Information

CVE: CVE-2021-29477, CVE-2021-32761