CVE-2018-12326
Publication date 17 June 2018
Last updated 25 August 2025
Ubuntu priority
Description
Buffer overflow in redis-cli of Redis before 4.0.10 and 5.x before 5.0 RC3 allows an attacker to achieve code execution and escalate to higher privileges via a crafted command line. NOTE: It is unclear whether there are any common situations in which redis-cli is used with, for example, a -h (aka hostname) argument from an untrusted source.
From the Ubuntu Security Team
It was discovered that Redis incorrectly handled certain arguments. An attacker could possibly use this issue to execute arbitrary code.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| redis | ||
| 18.04 LTS bionic |
Fixed 5:4.0.9-1ubuntu0.1
|
|
| 16.04 LTS xenial |
Fixed 2:3.0.6-1ubuntu0.2
|
|
| 14.04 LTS trusty |
Fixed 2:2.8.4-2ubuntu0.2
|
Severity score breakdown
CVSS version: CVSS v3.0
Base score
8.4 · High
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References
Other references
- https://gist.github.com/fakhrizulkifli/f831f40ec6cde4f744c552503d8698f0
- https://github.com/antirez/redis/commit/9fdcc15962f9ff4baebe6fdd947816f43f730d50
- https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES
- https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES
- https://www.cve.org/CVERecord?id=CVE-2018-12326