Business information leak - Redis
Description
Due to a misconfiguration of the Redis service, it is possible to connect to the dictionary server and obtain business information by deserializing objects contained in the keys, from which the following can be extracted: - List of users. - Employee information such as IDs and names. - Customer information such as Nits, names and IDs.
Impact
Obtain information from users, customers and employees.
Recommendation
According to the classification of the information found, establish the necessary controls so that the information is accessible only to the indicated persons and from authorized segments.
Threat
Internal attacker with Redis credentials.
Expected Remediation Time
⏱️ 60 minutes.
Requirements
176 - Restrict system objects177 - Avoid caching and temporary files261 - Avoid exposing sensitive information300 - Mask sensitive dataFixes
Score
Default score using CVSS 4.0. It may change depending on the context of the src.
Base 4.0
Attack vector
A
Attack complexity
L
Attack requirements
N
Privileges required
H
User interaction
N
Confidentiality (VC)
H
Integrity (VI)
N
Availability (VA)
N
Confidentiality (SC)
N
Integrity (SI)
N
Availability (SA)
N
Threat 4.0
Exploit maturity
X
Vector string
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N