Platform
ruby
Component
redis-store
Fixed in
1.4.0
CVE-2017-1000248 is a critical vulnerability affecting versions of redis-store up to and including 1.3.0. This flaw allows attackers to load unsafe objects from a Redis instance, potentially leading to arbitrary code execution within the affected Ruby application. A fix is available in version 1.4.0, and users are strongly advised to upgrade immediately.
The core of this vulnerability lies in the redis-store gem's handling of data retrieved from Redis. Prior to version 1.4.0, the gem does not adequately sanitize or validate objects deserialized from Redis. An attacker who can inject malicious data into Redis—for example, by exploiting another vulnerability in the Redis server itself or through a compromised application—can then trigger the redis-store gem to load and execute this malicious data. This could lead to complete compromise of the Ruby application, including data theft, modification, and remote code execution. The blast radius extends to any sensitive data stored or processed by the application, and potentially to other systems accessible from the compromised application server.
CVE-2017-1000248 was publicly disclosed on December 6, 2017. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the potential for remote code execution makes it a high-priority target. The vulnerability's simplicity and the widespread use of Redis increase the likelihood of exploitation. It is not currently listed on the CISA KEV catalog, but its critical severity warrants ongoing monitoring.
Exploit Status
EPSS
0.46% (64% percentile)
CVSS Vector
The primary mitigation for CVE-2017-1000248 is to upgrade the redis-store gem to version 1.4.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter input validation and sanitization on any data stored in Redis. Additionally, review and harden the Redis server itself to prevent unauthorized data injection. While a WAF cannot directly address this vulnerability, it can help mitigate the impact of potential exploits by filtering malicious payloads. Implement robust access controls and authentication mechanisms for the Redis server to limit potential attack vectors.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2017-1000248 is a critical vulnerability in redis-store versions up to 1.3.0 that allows attackers to load unsafe objects from Redis, potentially leading to remote code execution.
If you are using redis-store version 1.3.0 or earlier, you are affected by this vulnerability. Check your gem version using gem list redis-store.
Upgrade the redis-store gem to version 1.4.0 or later. If upgrading is not immediately possible, implement stricter input validation and sanitization on data stored in Redis.
While no confirmed active exploitation campaigns have been publicly linked, the vulnerability's severity and potential impact make it a high-priority target.
Refer to the Ruby Security Advisory for details: https://rubysec.com/advisories/CVE-2017-1000248
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.