Alpine: multiple redis packages: security update to 6.0.14-r0

high Tenable Self-Hosted Container Security Plugin ID 406909

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and
message broker. An integer overflow bug in Redis version 6.0 or newer, could be exploited using the
STRALGO LCS command to corrupt the heap and potentially result with remote code execution. This is a
result of an incomplete fix by CVE-2021-29477. The problem is fixed in version 6.2.4 and 6.0.14. An
additional workaround to mitigate the problem without patching the redis-server executable is to use ACL
configuration to prevent clients from using the STRALGO LCS command. On 64 bit systems which have the
fixes of CVE-2021-29477 (6.2.3 or 6.0.13), it is sufficient to make sure that the proto-max-bulk-len
config parameter is smaller than 2GB (default is 512MB). (CVE-2021-32625)

See Also

https://security.alpinelinux.org/vuln/CVE-2021-32625

Plugin Details

Severity: High

ID: 406909

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2021-32625

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 6/2/2021

Reference Information

CVE: CVE-2021-32625