CVE-2023-36824: 
Redis vulnerability analysis and mitigation

CVE-2023-36824 affects Redis versions 7.0.0 prior to 7.0.12. The vulnerability involves a heap overflow condition that occurs when extracting key names from commands and argument lists in Redis, an in-memory database that persists on disk. The vulnerability was discovered in July 2023 and patched with the release of Redis 7.0.12 (Redis Release, GitHub Advisory).

The vulnerability manifests when extracting key names from a command and a list of arguments, which can trigger a heap overflow resulting in random heap memory reading, heap corruption, and potential remote code execution. The issue specifically affects authenticated users executing specially crafted 'COMMAND GETKEYS' or 'COMMAND GETKEYSANDFLAGS' commands, as well as authenticated users with ACL rules that match key names when executing commands referring to variadic key name lists. The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, GitHub Advisory).

Successful exploitation of this vulnerability can lead to reading random heap memory, heap corruption, and potentially remote code execution. The impact includes potential disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS) (NetApp Advisory).

The vulnerability has been patched in Redis version 7.0.12. Users are advised to upgrade to this version or later to mitigate the risk. The fix addresses the heap overflow issues in both the command key extraction and ACL evaluation mechanisms (Redis Release).