Vulnerability Details : CVE-2023-28859
redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.
Exploit prediction scoring system (EPSS) score for CVE-2023-28859
Probability of exploitation activity in the next 30 days: 0.09%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 38 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2023-28859
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2023-28859
-
The product does not properly "clean up" and remove temporary or supporting resources after they have been used.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-28859
-
https://github.com/redis/redis-py/issues/2665
Canceling async Redis command leaves connection open, in unsafe state for future commands · Issue #2665 · redis/redis-py · GitHubIssue Tracking;Patch;Vendor Advisory
-
https://github.com/redis/redis-py/releases/tag/v4.5.4
Release 4.5.4 · redis/redis-py · GitHubRelease Notes
-
https://github.com/redis/redis-py/pull/2666
Fixing cancelled async futures by chayim · Pull Request #2666 · redis/redis-py · GitHubRelease Notes
-
https://github.com/redis/redis-py/releases/tag/v4.4.4
Release 4.4.4 · redis/redis-py · GitHubRelease Notes
-
https://github.com/redis/redis-py/pull/2641
AsyncIO Race Condition Fix by chayim · Pull Request #2641 · redis/redis-py · GitHubIssue Tracking;Patch
Products affected by CVE-2023-28859
- cpe:2.3:a:redis:redis-py:*:*:*:*:*:*:*:*
- cpe:2.3:a:redis:redis-py:*:*:*:*:*:*:*:*