CVE-2024-31228: 
Redis vulnerability analysis and mitigation

Redis, an open-source in-memory database, was found to contain a vulnerability (CVE-2024-31228) where authenticated users could trigger a denial-of-service condition. The vulnerability affects Redis commands such as KEYS, SCAN, PSUBSCRIBE, FUNCTION LIST, COMMAND LIST, and ACL definitions. This security flaw was discovered and disclosed in October 2024, affecting all versions of Redis (GitHub Advisory).

The vulnerability stems from unbounded pattern matching in Redis's string matching functionality. When processing extremely long patterns, the system may enter unbounded recursion, which can lead to stack overflow and subsequent process crash. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified as CWE-674 (Uncontrolled Recursion) (GitHub Advisory, Security Online).

The vulnerability can result in a denial-of-service condition when an authenticated user submits specially crafted, long string match patterns. When successfully exploited, this can cause the Redis server process to crash, potentially disrupting applications and services that depend on Redis (GitHub Advisory).

The vulnerability has been patched in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are strongly advised to upgrade their Redis installations to these patched versions. There are no known workarounds for this vulnerability (GitHub Advisory, Ubuntu Security).