1. Home
  2. CVE Database
  3. CVE-2023-28858
LOW · 3.7

CVE-2023-28858

redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. ...

Vulnerability Description

redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT, and 4.3.6, 4.4.3, and 4.5.3 were released (changing the behavior for pipeline operations); however, please see CVE-2023-28859 about addressing data leakage across AsyncIO connections in general.

CVSS Score

3.7

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE

Affected Products

VendorProductVersions
RedisRedis-Py>= 4.2.0, < 4.3.6

Related Weaknesses (CWE)

CWE-193

References

FAQ

What is CVE-2023-28858?

CVE-2023-28858 is a vulnerability with a CVSS score of 3.7 (LOW). redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. ...

How severe is CVE-2023-28858?

CVE-2023-28858 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-28858?

Check the references section above for vendor advisories and patch information. Affected products include: Redis Redis-Py.