[GHSA-8fww-64cx-x8p5] redis-py Race Condition due to incomplete fix

[sreecharanguduri]

Updates

• Description
• Summary

Comments
aquasecurity/trivy#4473

[sreecharanguduri]

Please correct the applicable versions to only 4.x, while 2.x versions are not impacted due to these vulnerabilities.Thanks

[darakian]

Hey @sreecharanguduri, do you have a reference from the backing project that this issue was fixed in the older branches? I've looked and can't find one.

Edit:
Based on redis/redis-py#2665 (comment) it seems like the 4.x releases are getting fixes, but I can't find anything referencing when the vulnerable code was introduced or if a separate fix is available for the older branches.

[sreecharanguduri]

hi again , our team requested NVD to re-access and here is the change history which is updated on May 17th on unimpacted versions here https://nvd.nist.gov/vuln/detail/CVE-2023-28859#VulnChangeHistorySection

[sreecharanguduri]

CVE IDs: CVE-2023-28858 and CVE-2023-28859 , Title: "redis: Async command information disclosure" . Basically, data leakage across AsyncIO connections of redis-py library.
These CVEs are related to python redis-py library, with introduction of async support.
"Async support was introduced in redis-py 4.2.x ". Please check more details at: https://github.com/redis/redis-py/tree/v4.2.0 .

Async support was not available in "redis-py:2.10.6" version itself. But as part of CVEs scan, these CVE IDs (CVE-2023-28858 and CVE-2023-28859) were raised for redis-py library versions of 2.10.6 .

Could you please do update these CVEs starting effected versions above 4.2.x in https://nvd.nist.gov/vuln/detail/CVE-2023-28858 & https://nvd.nist.gov/vuln/detail/CVE-2023-28859.
So that, we will not get these CVEs for our redis-py library versions of 2.10.6.
Currently this CVE is asking us to upgrade python library from 2.10.6 to 4.x which is not straight forward and involves lot of effort in our case. But this CVE is not really valid for redis-py library versions of 2.10.6.

Thank you in advance, and also correct me if i am missing anything. Please contact me if any more details needed.

References:
More details on our python version using: https://github.com/redis/redis-py/tree/2.10.6

[darakian]

Ok, found the PR that added async support
redis/redis-py#1899
and you do seem to be correct that the first version it shipped in is 4.2.0. I'll add that as a lower bound. 👍

[advisory-database]

Hi @sreecharanguduri! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!