CVE-2023-28858
Summary
| CVE | CVE-2023-28858 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-03-26 19:15:00 UTC |
| Updated | 2023-05-17 17:07:00 UTC |
| Description | redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT, and 4.3.6, 4.4.3, and 4.5.3 were released (changing the behavior for pipeline operations); however, please see CVE-2023-28859 about addressing data leakage across AsyncIO connections in general. |
Risk And Classification
Problem Types: CWE-193
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Comparing v4.3.5...v4.3.6 · redis/redis-py · GitHub | MISC | github.com | |
| March 20 ChatGPT outage: Here’s what happened | MISC | openai.com | |
| Off by 1 - Canceling async Redis command leaves connection open, in unsafe state for future commands · Issue #2624 · redis/redis-py · GitHub | MISC | github.com | |
| AsyncIO Race Condition Fix by chayim · Pull Request #2641 · redis/redis-py · GitHub | MISC | github.com | |
| Comparing v4.5.2...v4.5.3 · redis/redis-py · GitHub | MISC | github.com | |
| Comparing v4.4.2...v4.4.3 · redis/redis-py · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.