CVE-2023-28859

CVSS v4.0

7.1

High

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions redis-py versions 4.4.0 through 4.4.3 redis-py versions 4.5.0 through 4.5.3

Description The issue is related to the redis-py library for Python, which is associated with a lack of protection for service data. This could allow a remote attacker to gain unauthorized access to protected information. The problem occurs when an async Redis command is canceled at an inopportune time, leaving a connection open and potentially sending response data to the client of an unrelated request, particularly in the case of non-pipeline operations.

Recommendations For redis-py versions 4.4.0 through 4.4.3, update to version 4.4.4 or later. For redis-py versions 4.5.0 through 4.5.3, update to version 4.5.4 or later.

Fix

Race Condition

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-459CWE-362CWE-200

Related Identifiers

BDU:2023-01832

CVE-2023-28859

GHSA-8FWW-64CX-X8P5

OPENSUSE-SU-2024:12873-1

OPENSUSE-SU-2024_1639-1

OPENSUSE-SU-2024_1639-2

PYSEC-2023-46

SUSE-SU-2024:1639-1

SUSE-SU-2024:1639-2

Affected Products

Red Os

Suse

Redis-Py

CVE-2023-28859

Weakness Enumeration

Related Identifiers

Affected Products

References · 40