GHSA-24wv-mv5m-xv4h
- Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-24wv-mv5m-xv4h/GHSA-24wv-mv5m-xv4h.json
- Aliases
-
- CVE-2023-28858 ( PYSEC-2023-45 )
- Published
- 2023-03-26T21:30:23Z
- Modified
- 2023-05-17T19:00:50.578037Z
- Details
-
redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner. The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3, but are believed to be incomplete. CVE-2023-28859 has been assigned the issues caused by the incomplete fixes.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-28858
- https://github.com/redis/redis-py/issues/2624
- https://github.com/redis/redis-py/pull/2641
- https://github.com/redis/redis-py
- https://github.com/redis/redis-py/compare/v4.3.5...v4.3.6
- https://github.com/redis/redis-py/compare/v4.4.2...v4.4.3
- https://github.com/redis/redis-py/compare/v4.5.2...v4.5.3
- https://github.com/redis/redis-py/releases/tag/v4.4.4
- https://github.com/redis/redis-py/releases/tag/v4.5.4
- https://openai.com/blog/march-20-chatgpt-outage
Affected packages
PyPI / redis
redis
Affected versions
0.*
0.6.0
0.6.1
1.*
1.34
1.34.1
2.*
2.0.0
2.10.0
2.10.1
2.10.2
2.10.3
2.10.5
2.10.6
2.2.0
2.2.2
2.2.4
2.4.0
2.4.1
2.4.10
2.4.11
2.4.12
2.4.13
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.6.0
2.6.1
2.6.2
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.8.0
2.9.0
2.9.1
3.*
3.0.0
3.0.0.post1
3.0.1
3.1.0
3.2.0
3.2.1
3.3.0
3.3.1
3.3.10
3.3.11
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7
3.3.8
3.3.9
3.4.0
3.4.1
3.5.0
3.5.1
3.5.2
3.5.3
4.*
4.0.0
4.0.0b1
4.0.0b2
4.0.0b3
4.0.0rc1
4.0.0rc2
4.0.1
4.0.2
4.1.0
4.1.0rc1
4.1.0rc2
4.1.1
4.1.2
4.1.3
4.1.4
4.2.0
4.2.0rc1
4.2.0rc2
4.2.0rc3
4.2.1
4.2.2
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
PyPI / redis
redis