CVE-2023-28858

3.7LOW

Key Information:

Vendor
Redis
Status
Redis-py
Vendor
CVE Published:
26 March 2023

Badges

📰 News Worthy

Summary

redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT, and 4.3.6, 4.4.3, and 4.5.3 were released (changing the behavior for pipeline operations); however, please see CVE-2023-28859 about addressing data leakage across AsyncIO connections in general.

News Articles

favicon imageCybersecurityNews

Top 10 Vulnerabilities That Were Exploited the Most In 2023

Some of the vulnerabilities were added to the CISA’s Known Exploited Vulnerabilities catalog marking them as extremely important to patch.

4 months ago

References

https://github.com/redis/redis-py/pull/2641
https://github.com/redis/redis-py/issues/2624
https://github.com/redis/redis-py/compare/v4.5.2...v4.5.3

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📰

    First article discovered by CybersecurityNews

  • Vulnerability published

  • Vulnerability Reserved

.