219 – Business information leak - Redis

Description

Due to a misconfiguration of the Redis service, it is possible to connect to the dictionary server and obtain business information by deserializing objects contained in the keys, from which the following can be extracted: - List of users. - Employee information such as IDs and names. - Customer information such as Nits, names and IDs.

Impact

Obtain information from users, customers and employees.

Recommendation

According to the classification of the information found, establish the necessary controls so that the information is accessible only to the indicated persons and from authorized segments.

Threat

Internal attacker with Redis credentials.

Expected Remediation Time

60 minutes.

Score 4.0

Default score using CVSS 4.0. It may change depending on the context of the src.

Base 4.0

• Attack vector: A
• Attack complexity: L
• Attack Requirements: N
• Privileges required: H
• User interaction: N
• Confidentiality (VC): H
• Integrity (VI): N
• Availability (VA): N
• Confidentiality (SC): N
• Integrity (SI): N
• Availability (SA): N

Threat 4.0

• Exploit maturity: X

Requirements

• 176 - Restrict system objects
• 177 - Avoid caching and temporary files
• 261 - Avoid exposing sensitive information
• 300 - Mask sensitive data

Last updated

2024/02/16