CVE-2021-32687: 
Redis vulnerability analysis and mitigation

CVE-2021-32687 is an integer overflow vulnerability affecting all versions of Redis that was discovered and disclosed on October 4, 2021. The vulnerability involves changing the default 'set-max-intset-entries' configuration parameter to a very large value and constructing specially crafted commands to manipulate sets (GitHub Advisory, NVD).

The vulnerability is rated as High severity with a CVSS score of 7.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue occurs when the set-max-intset-entries configuration parameter is manually configured to a non-default, very large value, which can lead to an integer overflow condition in the intset data structure (GitHub Advisory).

When successfully exploited, this vulnerability can be used to corrupt the heap and potentially lead to arbitrary contents of the heap being leaked or trigger remote code execution. The vulnerability affects the integrity and confidentiality of the Redis server (GitHub Advisory).

The vulnerability has been patched in Redis versions 6.2.6, 6.0.16, and 5.0.14. As a workaround before patching, users can prevent modification of the set-max-intset-entries configuration parameter by using ACL to restrict unprivileged users from using the CONFIG SET command (GitHub Advisory).

The vulnerability was discovered and reported by Pawel Wieczorkiewicz from Amazon Web Services. Multiple organizations including Red Hat, Oracle, and Debian issued security advisories and patches for their Redis implementations (Red Hat Advisory, Debian Advisory).