Alpine: redis: security update to 6.2.18-r0

critical Tenable Cloud Security Plugin ID 425950

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Redis is an open source, in-memory database that persists on disk. Authenticated users can trigger a
denial-of-service by using specially crafted, long string match patterns on supported commands such as
`KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL definitions. Matching of extremely
long patterns may result in unbounded recursion, leading to stack overflow and process crash. This problem
has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no
known workarounds for this vulnerability. (CVE-2024-31228)

- Redis is an open source, in-memory database that persists on disk. An authenticated user may use a
specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially
lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This
problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are
no known workarounds for this vulnerability. (CVE-2024-31449)

- Redis is an open source, in-memory database that persists on disk. An authenticated user may use a
specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code
execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the
problem without patching the redis-server executable is to prevent users from executing Lua scripts. This
can be done using ACL to restrict EVAL and EVALSHA commands. (CVE-2024-46981)

- Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior
to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs
out of memory or is killed. By default, the Redis configuration does not limit the output buffer of normal
clients (see client-output-buffer-limit). Therefore, the output buffer can grow unlimitedly over time. As
a result, the service is exhausted and the memory is unavailable. When password authentication is enabled
on the Redis server, but no password is provided, the client can still cause the output buffer to grow
from "NOAUTH" responses until the system will run out of memory. This issue has been patched in version
7.4.3. An additional workaround to mitigate this problem without patching the redis-server executable is
to block access to prevent unauthenticated users from connecting to Redis. This can be done in different
ways. Either using network access control tools like firewalls, iptables, security groups, etc, or
enabling TLS and requiring users to authenticate using client side certificates. (CVE-2025-21605)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-31228

https://security.alpinelinux.org/vuln/CVE-2024-31449

https://security.alpinelinux.org/vuln/CVE-2024-46981

https://security.alpinelinux.org/vuln/CVE-2025-21605

Plugin Details

Severity: Critical

ID: 425950

Version: Revision 1.4

Type: Local

Published: 5/8/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.92

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-46981

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 9/26/2024

Reference Information

CVE: CVE-2024-31228, CVE-2024-31449, CVE-2024-46981, CVE-2025-21605