You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT, and 4.3.6, 4.4.3, and 4.5.3 were released (changing the behavior for pipeline operations); however, please see CVE-2023-28859 about addressing data leakage across AsyncIO connections in general.
Description:
redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT, and 4.3.6, 4.4.3, and 4.5.3 were released (changing the behavior for pipeline operations); however, please see CVE-2023-28859 about addressing data leakage across AsyncIO connections in general.
References:
https://access.redhat.com/security/cve/CVE-2023-28858 https://github.com/pypa/advisory-database/tree/main/vulns/redis/PYSEC-2023-45.yaml https://github.com/redis/redis-py redis/redis-py@d56baeb redis/redis-py@v4.3.5...v4.3.6 redis/redis-py@v4.4.2...v4.4.3 redis/redis-py@v4.5.2...v4.5.3 redis/redis-py#2624 redis/redis-py#2641 https://github.com/redis/redis-py/releases/tag/v4.4.4 https://github.com/redis/redis-py/releases/tag/v4.5.4 https://nvd.nist.gov/vuln/detail/CVE-2023-28858 https://openai.com/blog/march-20-chatgpt-outage https://www.cve.org/CVERecord?id=CVE-2023-28858
The text was updated successfully, but these errors were encountered: