CVE-2023-41053: 
Redis vulnerability analysis and mitigation

Redis, an in-memory database that persists on disk, was found to contain a security vulnerability (CVE-2023-41053) affecting versions 7.0 and newer. The vulnerability was discovered by yangbodong22011 and publicly disclosed on September 6, 2023. The issue impacts Redis's access control list (ACL) configuration when handling the SORT_RO command (GitHub Advisory).

The vulnerability stems from Redis's inability to correctly identify keys accessed by the SORT_RO command. This implementation flaw has been assigned a CVSS v3.1 base score of 3.3 (Low) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-269 (Improper Privilege Management) (NVD, GitHub Advisory).

When exploited, this vulnerability allows users executing the SORT_RO command to gain access to keys that are not explicitly authorized by the ACL configuration. This represents a security bypass that could lead to unauthorized access to data stored in Redis (GitHub Advisory).

The vulnerability has been fixed in Redis versions 7.0.13 and 7.2.1. Users running affected versions are advised to upgrade to these patched versions or newer. There are no known workarounds for this vulnerability (GitHub Advisory, Fedora Update).