PYSEC-2023-46

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/redis/PYSEC-2023-46.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2023-46
Aliases
Published
2023-03-26T19:15:00Z
Modified
2023-11-08T04:12:15.434725Z
Summary
[none]
Details

redis-py through 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.

References

Affected packages

PyPI / redis

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2.0
Fixed
4.4.4
Introduced
4.5.0
Fixed
4.5.4

Affected versions

4.*

4.2.0
4.2.1
4.2.2
4.3.0
4.3.1
4.3.2
4.3.3
4.3.4
4.3.5
4.3.6
4.4.0rc1
4.4.0rc2
4.4.0rc3
4.4.0rc4
4.4.0
4.4.1
4.4.2
4.4.3
4.5.0
4.5.1
4.5.2
4.5.3