Product Version Release Advisory VMware Tanzu Valkey v7.2.6

Product/Component

VMware Tanzu Data Services

0 more products

Notification Id

25503

Last Updated

13 March 2025

Initial Publication Date

13 March 2025

Status

CLOSED

Severity

HIGH

CVSS Base Score

7.0

WorkAround

Affected CVE

CVE-2024-31449, CVE-2024-31227, CVE-2024-31228

Product Release Advisory

Advisory ID:	TNZ-2025-11
Severity:	High
Issue Date:	2025-02-26
Updated on:	2025-02-26
Synopsis	Valkey v7.2.6 has the following vulnerabilities that were addressed in Valkey v8.0.1 / VMware Tanzu for Valkey 1.1.0-beta: Lua library commands can be exploited by an authenticated user to achieve remote-code-execution. Denial-of-service because of malformed ACL selectors. Denial-of-service because of unbounded pattern-matching.

Product Version Release Advisory

VMware Tanzu for Valkey 1.0.0-beta
https://techdocs.broadcom.com/us/en/vmware-tanzu/data-solutions/tanzu-valkey/1-0-0-beta/tanzu-valkey-docs/release-notes.html

Security Fixes

This release has the following security fixes, listed by component and area.

Component	Vulnerabilities Resolved
Valkey v7.2.6, fixed in Valkey 8.0.1	CVE-2024-31449 Lua library commands can be exploited by an authenticated user to achieve remote-code-execution. CVE-2024-31227 Denial-of-service because of malformed ACL selectors. CVE-2024-31228 Denial-of-service because of unbounded pattern-matching.

History

2025-02-26: Initial vulnerability report published.

Contact

E-mail: [email protected]

VMware Tanzu Security Advisories

https://support.broadcom.com/group/ecx/security-advisory?segment=VT