Vulnerabilities > CVE-2023-28859 - Incomplete Cleanup vulnerability in Redis Redis-Py

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

redis

CWE-459

NVD

Published: 2023-03-26

Updated: 2023-05-17

Summary

redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.

Vulnerable Configurations

Part	Description	Count
Application	Redis Redis Redis PY 4.5.0 Redis Redis PY 4.5.1 Redis Redis PY 4.5.2 Redis Redis PY 4.5.3 Redis Redis PY 4.2.0 Redis Redis PY 4.2.1 Redis Redis PY 4.2.2 Redis Redis PY 4.3.0 Redis Redis PY 4.3.1 Redis Redis PY 4.3.2 Redis Redis PY 4.3.3 Redis Redis PY 4.3.4 Redis Redis PY 4.3.5 Redis Redis PY 4.3.6 Redis Redis PY 4.4.0 Redis Redis PY 4.4.1 Redis Redis PY 4.4.2 Redis Redis PY 4.4.3	25

Common Weakness Enumeration (CWE)

CWE-459 - Incomplete Cleanup

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References