CVE-2023-28858 – redis

Package

Manager: pip
Name: redis
Vulnerable Version: >=4.4.0 <4.4.3 || >=4.5.0 <4.5.3 || >=4.2.0 <4.3.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00779 pctl0.72803

Details

redis-py Race Condition vulnerability redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner. The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3, but [are believed to be incomplete](https://github.com/redis/redis-py/issues/2665). CVE-2023-28859 has been assigned the issues caused by the incomplete fixes.

Metadata

Created: 2023-03-26T21:30:23Z
Modified: 2024-10-25T21:45:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-24wv-mv5m-xv4h/GHSA-24wv-mv5m-xv4h.json
CWE IDs: ["CWE-193"]
Alternative ID: GHSA-24wv-mv5m-xv4h
Finding: F014
Auto approve: 1