CVE-2021-32672: 
Redis vulnerability analysis and mitigation

Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger's protocol parser to read data beyond the actual buffer. This vulnerability (CVE-2021-32672) affects all versions of Redis with Lua debugging support (3.2 or newer). The issue was discovered by Meir Shpilraien and fixed in versions 6.2.6, 6.0.16 and 5.0.14 (Redis Advisory).

The vulnerability is classified as an out-of-bounds read (CWE-125) in the Lua debugger protocol parser. When processing malformed requests, the debugger's protocol parser could read data beyond the actual buffer boundaries. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) (NVD).

The successful exploitation of this vulnerability could lead to unauthorized disclosure of sensitive information through random heap reading when using the Redis Lua Debugger (Redis Advisory, NetApp Advisory).

The vulnerability has been fixed in Redis versions 6.2.6, 6.0.16, and 5.0.14. Users are strongly recommended to upgrade to these patched versions. The fix includes validating that there are enough bytes to read and limiting the amount of data that can be sent by the debugger client to 1M to prevent memory exploitation (Redis Commit).