CVE-2023-28859

Summary

CVE	CVE-2023-28859
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-03-26 19:15:00 UTC
Updated	2023-05-17 17:08:00 UTC
Description	redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.

Risk And Classification

Problem Types: CWE-459

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Redis	Redis-py	All	All	All	All
Application	Redis	Redis-py	All	All	All	All

References

Reference	Source	Link	Tags
Release 4.5.4 · redis/redis-py · GitHub	MISC	github.com
Fixing cancelled async futures by chayim · Pull Request #2666 · redis/redis-py · GitHub	MISC	github.com
Release 4.4.4 · redis/redis-py · GitHub	MISC	github.com
AsyncIO Race Condition Fix by chayim · Pull Request #2641 · redis/redis-py · GitHub	MISC	github.com
Canceling async Redis command leaves connection open, in unsafe state for future commands · Issue #2665 · redis/redis-py · GitHub	MISC	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

503224 Alpine Linux Security Update for py3-redis
506179 Alpine Linux Security Update for py3-redis
691138 Free Berkeley Software Distribution (FreeBSD) Security Update for py39 (8aa6340d-e7c6-41e0-b2a3-3c9e9930312a)