CVE-2023-28859

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-28859

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28859.json

Aliases

GHSA-8fww-64cx-x8p5
PYSEC-2023-46

Published

2023-03-26T19:15:06Z

Modified

2023-11-29T09:55:39.173979Z

Details

redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.

References

https://github.com/redis/redis-py/issues/2665
https://github.com/redis/redis-py/pull/2641
https://github.com/redis/redis-py/pull/2666
https://github.com/redis/redis-py/releases/tag/v4.4.4
https://github.com/redis/redis-py/releases/tag/v4.5.4

Affected packages

Git / github.com/redis/redis-py

Affected ranges

Type: GIT
Repo: https://github.com/redis/redis-py
Events: Introduced

5cb5712d283fa8fb300abc9d71a61c1a81de5643

Fixed

e1017fd77afd2f56dca90f986fc82e398e518a26

Introduced

ef4caf5b8bd55fc5c3ca7d994e2047e046f7e942

Affected versions

v4.*

v4.5.0

v4.5.1

v4.5.2

v4.5.3