CVE-2023-28856: 
Redis vulnerability analysis and mitigation

CVE-2023-28856 affects Redis, an open source, in-memory database that persists on disk. The vulnerability was discovered and disclosed in April 2023, affecting Redis versions prior to 7.0.11, 6.2.12, and 6.0.19. The issue allows authenticated users to use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access (Redis Advisory, NVD).

The vulnerability stems from insufficient validation in the HINCRBYFLOAT command implementation, which can lead to the creation of invalid hash fields. The issue has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with low attack complexity and requiring low privileges (NVD). The vulnerability is classified under CWE-617 (Reachable Assertion) and CWE-20 (Improper Input Validation).

When successfully exploited, this vulnerability can cause a denial of service (DoS) condition by crashing the Redis server process. The impact is particularly significant as it affects the availability of the Redis service, though it does not compromise data confidentiality or integrity (Redis Advisory, NetApp Advisory).

The vulnerability has been patched in Redis versions 7.0.11, 6.2.12, and 6.0.19. Users are strongly advised to upgrade to these or later versions. There are no known workarounds for this issue other than upgrading to a patched version (Redis Advisory, Debian Advisory).