CVE-2023-28858

Name of the Vulnerable Software and Affected Versions redis-py versions prior to 4.5.3

Description The issue is related to the redis-py library, which leaves a connection open after canceling an async Redis command at an inopportune time, specifically in the case of a pipeline operation. This can cause response data to be sent to the client of an unrelated request in an off-by-one manner, potentially allowing a remote attacker to gain unauthorized access to protected information. The library is used in products such as ChatGPT.

Recommendations For redis-py versions prior to 4.5.3, update to version 4.5.3 or later to resolve the issue. However, note that the fixed versions 4.3.6, 4.4.3, and 4.5.3 may be incomplete, and additional issues may be addressed in separate vulnerabilities. As a temporary workaround, consider restricting the use of pipeline operations until a more comprehensive fix is available.