PT-2023-2098 · Pypi+2 · Redis-Py+2

Drago-Balto

Publicado

2023-03-26

Atualizado

2024-07-01

CVE-2023-28859

CVSS v4.0

7.1

Alta

Vetor

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions redis-py versions 4.4.0 through 4.4.3 redis-py versions 4.5.0 through 4.5.3

Description The issue is related to the redis-py library for Python, which is associated with a lack of protection for service data. This could allow a remote attacker to gain unauthorized access to protected information. The problem occurs when an async Redis command is canceled at an inopportune time, leaving a connection open and potentially sending response data to the client of an unrelated request, particularly in the case of non-pipeline operations.

Recommendations For redis-py versions 4.4.0 through 4.4.3, update to version 4.4.4 or later. For redis-py versions 4.5.0 through 4.5.3, update to version 4.5.4 or later.

Correção

Race Condition

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-459CWE-362CWE-200

Identificadores relacionados

BDU:2023-01832

CVE-2023-28859

GHSA-8FWW-64CX-X8P5

OPENSUSE-SU-2024:12873-1

OPENSUSE-SU-2024_1639-1

OPENSUSE-SU-2024_1639-2

PYSEC-2023-46

SUSE-SU-2024:1639-1

SUSE-SU-2024:1639-2

Produtos afetados

Red Os

Suse

Redis-Py

PT-2023-2098 · Pypi+2 · Redis-Py+2

CVE-2023-28859

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 40