Async Command Vulnerability in Redis Client Library by Redis
CVE-2023-28858
3.7LOW
Key Information:
- Vendor
- Redis
- Status
- Redis-py
- Vendor
- CVE Published:
- 26 March 2023
Badges
📰 News Worthy
Summary
The redis-py library prior to version 4.5.3 contains a flaw where it fails to properly close connections after an async Redis command is canceled. This oversight can lead to the unintended leakage of response data to clients from unrelated requests, potentially exposing sensitive information. This vulnerability particularly affects how pipeline operations operate across different AsyncIO connections, increasing the risk of data integrity issues. Users are encouraged to update to version 4.5.3 or later to mitigate this risk.
Get notified when SecurityVulnerability.io launches alerting 🔔
Well keep you posted 📧
News Articles
References
CVSS V3.1
Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
- 📰
First article discovered by CybersecurityNews
Vulnerability published
Vulnerability Reserved