CVE-2023-28425: 
Redis vulnerability analysis and mitigation

Redis versions 7.0.8 prior to 7.0.10 contain a vulnerability (CVE-2023-28425) where authenticated users can trigger a runtime assertion and termination of the Redis server process using the MSETNX command. The vulnerability was discovered by Yupeng Yang and was publicly disclosed on March 20, 2023 (GitHub Advisory).

The vulnerability is related to the MSETNX command implementation where using the same key twice could trigger a runtime assertion. The issue has a CVSS v3.1 base score of 5.5 (MEDIUM) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating local access requirements, low attack complexity, and high impact on availability (NVD, GitHub Advisory).

Successful exploitation of this vulnerability leads to a Denial of Service (DoS) condition through the termination of the Redis server process. The vulnerability affects the availability of the service while having no direct impact on confidentiality or integrity (GitHub Advisory, NetApp Advisory).

The vulnerability has been fixed in Redis version 7.0.10. Users are advised to upgrade to this patched version to mitigate the risk. The fix involves modifying the handling of the MSETNX command when the same key is used multiple times (Redis Release, GitHub Commit).