CVE-2023-28859

redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/redis/redis-py/issues/2665	Issue Tracking Patch Vendor Advisory
https://github.com/redis/redis-py/pull/2641	Issue Tracking Patch
https://github.com/redis/redis-py/pull/2666	Release Notes
https://github.com/redis/redis-py/releases/tag/v4.4.4	Release Notes
https://github.com/redis/redis-py/releases/tag/v4.5.4	Release Notes

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redis:redis-py::::::::
	cpe:2.3:a:redis:redis-py::::::::

History

05 Apr 2023, 19:06

Type	Values Removed	Values Added
CWE		CWE-459
First Time		Redis redis-py Redis
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
CPE		cpe:2.3:a:redis:redis-py::::::::
References	~~(MISC) https://github.com/redis/redis-py/releases/tag/v4.4.4 -~~	(MISC) https://github.com/redis/redis-py/releases/tag/v4.4.4 - Release Notes
References	~~(MISC) https://github.com/redis/redis-py/pull/2666 -~~	(MISC) https://github.com/redis/redis-py/pull/2666 - Release Notes
References	~~(MISC) https://github.com/redis/redis-py/issues/2665 -~~	(MISC) https://github.com/redis/redis-py/issues/2665 - Issue Tracking, Patch, Vendor Advisory
References	~~(MISC) https://github.com/redis/redis-py/releases/tag/v4.5.4 -~~	(MISC) https://github.com/redis/redis-py/releases/tag/v4.5.4 - Release Notes
References	~~(MISC) https://github.com/redis/redis-py/pull/2641 -~~	(MISC) https://github.com/redis/redis-py/pull/2641 - Issue Tracking, Patch

30 Mar 2023, 22:15

Type	Values Removed	Values Added
Summary	redis-py through 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.	redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.
References		(MISC) https://github.com/redis/redis-py/releases/tag/v4.4.4 - (MISC) https://github.com/redis/redis-py/releases/tag/v4.5.4 - (MISC) https://github.com/redis/redis-py/pull/2666 -

26 Mar 2023, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-03-26 19:15

Updated : 2023-12-10 15:01

NVD link : CVE-2023-28859

Mitre link : CVE-2023-28859

CVE.ORG link : CVE-2023-28859

JSON object : View

Products Affected

redis

redis-py

CWE

CWE-459

Incomplete Cleanup

6.5 /10