PYSEC-2023-45

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/redis/PYSEC-2023-45.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2023-45
Aliases
Published
2023-03-26T19:15:00Z
Modified
2023-11-08T04:12:15.374587Z
Summary
[none]
Details

redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner. The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3; however, CVE-2023-28859 is a separate vulnerability.

References

Affected packages

PyPI / redis

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2.0
Fixed
4.3.6
Introduced
4.4.0
Fixed
4.4.3
Introduced
4.5.0
Fixed
4.5.3

Affected versions

4.*

4.2.0
4.2.1
4.2.2
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.4.0
4.4.1
4.4.2
4.5.0
4.5.1
4.5.2