Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

LOW: redis - redis: Async command information disclosure #61

Open
github-actions bot opened this issue May 7, 2024 · 0 comments
Open

LOW: redis - redis: Async command information disclosure #61

github-actions bot opened this issue May 7, 2024 · 0 comments
Labels
LOW Trivy Labels

Comments

@github-actions
Copy link

github-actions bot commented May 7, 2024

Description:

redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT, and 4.3.6, 4.4.3, and 4.5.3 were released (changing the behavior for pipeline operations); however, please see CVE-2023-28859 about addressing data leakage across AsyncIO connections in general.

References:

https://access.redhat.com/security/cve/CVE-2023-28858 https://github.com/pypa/advisory-database/tree/main/vulns/redis/PYSEC-2023-45.yaml https://github.com/redis/redis-py redis/redis-py@d56baeb redis/redis-py@v4.3.5...v4.3.6 redis/redis-py@v4.4.2...v4.4.3 redis/redis-py@v4.5.2...v4.5.3 redis/redis-py#2624 redis/redis-py#2641 https://github.com/redis/redis-py/releases/tag/v4.4.4 https://github.com/redis/redis-py/releases/tag/v4.5.4 https://nvd.nist.gov/vuln/detail/CVE-2023-28858 https://openai.com/blog/march-20-chatgpt-outage https://www.cve.org/CVERecord?id=CVE-2023-28858

@github-actions github-actions bot added the LOW Trivy Labels label May 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
LOW Trivy Labels
Projects
None yet
Development

No branches or pull requests

0 participants