Async Command Vulnerability in Redis Client Library by Redis
CVE-2023-28858

3.7LOW

Key Information:

Vendor
Redis
Status
Redis-py
Vendor
CVE Published:
26 March 2023

Badges

📰 News Worthy

Summary

The redis-py library prior to version 4.5.3 contains a flaw where it fails to properly close connections after an async Redis command is canceled. This oversight can lead to the unintended leakage of response data to clients from unrelated requests, potentially exposing sensitive information. This vulnerability particularly affects how pipeline operations operate across different AsyncIO connections, increasing the risk of data integrity issues. Users are encouraged to update to version 4.5.3 or later to mitigate this risk.

News Articles

favicon imageCybersecurityNews

Top 10 Vulnerabilities That Were Exploited the Most In 2023

Some of the vulnerabilities were added to the CISA’s Known Exploited Vulnerabilities catalog marking them as extremely important to patch.

References

https://github.com/redis/redis-py/pull/2641
https://github.com/redis/redis-py/issues/2624
https://github.com/redis/redis-py/compare/v4.5.2...v4.5.3

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by CybersecurityNews

  • Vulnerability published

  • Vulnerability Reserved

.