GHSA-8fww-64cx-x8p5

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-8fww-64cx-x8p5/GHSA-8fww-64cx-x8p5.json
Aliases
Published
2023-03-26T21:30:23Z
Modified
2023-05-05T20:49:13.856087Z
Details

redis-py through 4.5.3 and 4.4.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.

References

Affected packages

PyPI / redis

redis

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.5.0
Fixed
4.5.4

Affected versions

4.*

4.5.0
4.5.1
4.5.2
4.5.3

PyPI / redis

redis

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
4.4.4

Affected versions

0.*

0.6.0
0.6.1

1.*

1.34
1.34.1

2.*

2.0.0
2.10.0
2.10.1
2.10.2
2.10.3
2.10.5
2.10.6
2.2.0
2.2.2
2.2.4
2.4.0
2.4.1
2.4.10
2.4.11
2.4.12
2.4.13
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.6.0
2.6.1
2.6.2
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.8.0
2.9.0
2.9.1

3.*

3.0.0
3.0.0.post1
3.0.1
3.1.0
3.2.0
3.2.1
3.3.0
3.3.1
3.3.10
3.3.11
3.3.2
3.3.3
3.3.4
3.3.5
3.3.6
3.3.7
3.3.8
3.3.9
3.4.0
3.4.1
3.5.0
3.5.1
3.5.2
3.5.3

4.*

4.0.0
4.0.0b1
4.0.0b2
4.0.0b3
4.0.0rc1
4.0.0rc2
4.0.1
4.0.2
4.1.0
4.1.0rc1
4.1.0rc2
4.1.1
4.1.2
4.1.3
4.1.4
4.2.0
4.2.0rc1
4.2.0rc2
4.2.0rc3
4.2.1
4.2.2
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.4.0
4.4.0rc1
4.4.0rc2
4.4.0rc3
4.4.0rc4
4.4.1
4.4.2
4.4.3