Redis CLI Credentials

ID

redis_cli

Severity

high

Vendor

Redis

Family

Data Storage Secret

Description

Redis is an in-memory data structure store, used as a distributed, in-memory key–value database, cache and message broker, with optional durability. Redis supports different kinds of abstract data structures, such as strings, lists, maps, sets, sorted sets, HyperLogLogs, bitmaps, streams, and spatial indices.

Security

Any hardcoded Redis Credential is a potential secret reported by this detector.

Accidentally checking-in the key to source control repositories could compromise your Redis resource.

Examples

redli --tls -h db-redis-ams3-27524.a.db.ondigitalocean.com -p@assworD

Mitigation / Fix

  1. Remove the credentials from the source code or committed configuration file.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). In this case, the redis account password should be changed, either using the Redis Access Control List or the previous redis.conf.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://redis.io/documentation