Drago-Balto

**Name of the Vulnerable Software and Affected Versions** redis-py versions prior to 4.5.3 **Description** The issue is related to the redis-py library, which leaves a connection open after canceling an async Redis command at an inopportune time, specifically in the case of a pipeline operation. This can cause response data to be sent to the client of an unrelated request in an off-by-one manner, potentially allowing a remote attacker to gain unauthorized access to protected information. The library is used in products such as ChatGPT. **Recommendations** For redis-py versions prior to 4.5.3, update to version 4.5.3 or later to resolve the issue. However, note that the fixed versions 4.3.6, 4.4.3, and 4.5.3 may be incomplete, and additional issues may be addressed in separate vulnerabilities. As a temporary workaround, consider restricting the use of pipeline operations until a more comprehensive fix is available.

**Name of the Vulnerable Software and Affected Versions** redis-py versions 4.4.0 through 4.4.3 redis-py versions 4.5.0 through 4.5.3 **Description** The issue is related to the redis-py library for Python, which is associated with a lack of protection for service data. This could allow a remote attacker to gain unauthorized access to protected information. The problem occurs when an async Redis command is canceled at an inopportune time, leaving a connection open and potentially sending response data to the client of an unrelated request, particularly in the case of non-pipeline operations. **Recommendations** For redis-py versions 4.4.0 through 4.4.3, update to version 4.4.4 or later. For redis-py versions 4.5.0 through 4.5.3, update to version 4.5.4 or later.