CVE-2023-28859
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-28859
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28859.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-28859
- Aliases
- Related
- Published
- 2023-03-26T19:15:06Z
- Modified
- 2025-05-28T10:34:11.862755Z
- Downstream
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.
- References
Affected packages
Git / github.com/redis/redis-py
Affected ranges
- Type
- GIT
- Repo
- https://github.com/redis/redis-py
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixedFixedFixed
Affected versions
2.*
2.10.0
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.10.6
2.4.10
2.4.11
2.4.12
2.4.13
2.4.6
2.4.7
2.4.8
2.4.9
2.6.0
2.6.1
2.6.2
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.8.0
2.9.0
2.9.1
3.*
3.0.0
3.0.1
3.1.0
3.2.0
3.2.1
3.3.0
3.3.1
3.3.10
3.3.11
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7
3.3.8
3.3.9
3.4.0
3.4.1
3.5.0
3.5.1
3.5.2
3.5.3
v4.*
v4.0.0
v4.0.0b1
v4.0.0b2
v4.0.0b3
v4.0.0rc1
v4.0.0rc2
v4.0.1
v4.0.2
v4.1.0
v4.1.0rc1
v4.1.0rc2
v4.1.1
v4.1.2
v4.2.0
v4.2.0rc1
v4.2.0rc2
v4.2.0rc3
v4.2.1
v4.2.2
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.4.0
v4.4.0rc1
v4.4.0rc2
v4.4.0rc3
v4.4.0rc4
v4.4.1
v4.4.2
v4.4.3
v4.5.0
v4.5.1
v4.5.2
v4.5.3