GHSA-24wv-mv5m-xv4h

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-24wv-mv5m-xv4h/GHSA-24wv-mv5m-xv4h.json
Aliases
Published
2023-03-26T21:30:23Z
Modified
2023-05-17T19:00:50.578037Z
Details

redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner. The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3, but are believed to be incomplete. CVE-2023-28859 has been assigned the issues caused by the incomplete fixes.

References

Affected packages

PyPI / redis

redis

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
4.3.6

Affected versions

0.*

0.6.0
0.6.1

1.*

1.34
1.34.1

2.*

2.0.0
2.10.0
2.10.1
2.10.2
2.10.3
2.10.5
2.10.6
2.2.0
2.2.2
2.2.4
2.4.0
2.4.1
2.4.10
2.4.11
2.4.12
2.4.13
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.6.0
2.6.1
2.6.2
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.8.0
2.9.0
2.9.1

3.*

3.0.0
3.0.0.post1
3.0.1
3.1.0
3.2.0
3.2.1
3.3.0
3.3.1
3.3.10
3.3.11
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7
3.3.8
3.3.9
3.4.0
3.4.1
3.5.0
3.5.1
3.5.2
3.5.3

4.*

4.0.0
4.0.0b1
4.0.0b2
4.0.0b3
4.0.0rc1
4.0.0rc2
4.0.1
4.0.2
4.1.0
4.1.0rc1
4.1.0rc2
4.1.1
4.1.2
4.1.3
4.1.4
4.2.0
4.2.0rc1
4.2.0rc2
4.2.0rc3
4.2.1
4.2.2
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5

PyPI / redis

redis

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.4.0
Fixed
4.4.3

Affected versions

4.*

4.4.0
4.4.1
4.4.2

PyPI / redis

redis

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.5.0
Fixed
4.5.3

Affected versions

4.*

4.5.0
4.5.1
4.5.2