redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.
References
Link | Resource |
---|---|
https://github.com/redis/redis-py/issues/2665 | Issue Tracking Patch Vendor Advisory |
https://github.com/redis/redis-py/pull/2641 | Issue Tracking Patch |
https://github.com/redis/redis-py/pull/2666 | Release Notes |
https://github.com/redis/redis-py/releases/tag/v4.4.4 | Release Notes |
https://github.com/redis/redis-py/releases/tag/v4.5.4 | Release Notes |
Configurations
Configuration 1 (hide)
|
History
17 May 2023, 17:08
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-459 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
CPE | cpe:2.3:a:redis:redis-py:*:*:*:*:*:*:*:* | |
References | (MISC) https://github.com/redis/redis-py/releases/tag/v4.5.4 - Release Notes | |
References | (MISC) https://github.com/redis/redis-py/releases/tag/v4.4.4 - Release Notes | |
References | (MISC) https://github.com/redis/redis-py/pull/2641 - Issue Tracking, Patch | |
References | (MISC) https://github.com/redis/redis-py/issues/2665 - Issue Tracking, Patch, Vendor Advisory | |
References | (MISC) https://github.com/redis/redis-py/pull/2666 - Release Notes |
30 Mar 2023, 22:15
Type | Values Removed | Values Added |
---|---|---|
Summary | redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general. | |
References |
|
27 Mar 2023, 12:40
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-03-26 19:15
Updated : 2024-02-04 23:37
NVD link : CVE-2023-28859
Mitre link : CVE-2023-28859
CVE.ORG link : CVE-2023-28859
JSON object : View
Products Affected
redis
- redis-py
CWE
CWE-459
Incomplete Cleanup