Package: redis-tools Version: 2.8.17-1+deb8u3 Severity: grave Tags: security
redis-cli stores its history in ~/.rediscli_history, this file is created with permissions 0644. Home folders are world readable as well in debian, so any user can access other users redis history, including AUTH commands, which include credentials. I've contacted upstream on 2016-05-30 without any reaction at all and discovered this bug was first reported 3 years ago, still unfixed. @RedisLabs keeps referring to their paid support on twitter. Demo: `cat /home/*/.rediscli_history`
