Async Command Vulnerability in Redis Client Library by Redis
CVE-2023-28858

3.7LOW

Key Information:

Vendor: Redis
Status: Redis-py
Vendor: CVE Published:; 26 March 2023

🔔 Create Redis Vulnerability Alert

Badges

📰 News Worthy

What is CVE-2023-28858?

The redis-py library prior to version 4.5.3 contains a flaw where it fails to properly close connections after an async Redis command is canceled. This oversight can lead to the unintended leakage of response data to clients from unrelated requests, potentially exposing sensitive information. This vulnerability particularly affects how pipeline operations operate across different AsyncIO connections, increasing the risk of data integrity issues. Users are encouraged to update to version 4.5.3 or later to mitigate this risk.

News Articles

CybersecurityNews

CVE-2023-24880 CVE-2023-28858

Top 10 Vulnerabilities That Were Exploited the Most In 2023

Some of the vulnerabilities were added to the CISA’s Known Exploited Vulnerabilities catalog marking them as extremely important to patch.

thmubnail image

References

https://github.com/redis/redis-py/pull/2641

https://github.com/redis/redis-py/issues/2624

https://github.com/redis/redis-py/compare/v4.5.2...v4.5.3

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📰
First article discovered by CybersecurityNews
Oct 6, 2024
Vulnerability published
Mar 26, 2023
Vulnerability Reserved
Mar 26, 2023

.

CVE-2023-28858 : Async Command Vulnerability in Redis Client Library by Redis