VYPR
Moderate severityNVD Advisory· Published Mar 26, 2023· Updated Feb 20, 2025

CVE-2023-28858

CVE-2023-28858

Description

redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT, and 4.3.6, 4.4.3, and 4.5.3 were released (changing the behavior for pipeline operations); however, please see CVE-2023-28859 about addressing data leakage across AsyncIO connections in general.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
redisPyPI
>= 4.4.0, < 4.4.34.4.3
redisPyPI
>= 4.5.0, < 4.5.34.5.3
redisPyPI
>= 4.2.0, < 4.3.64.3.6

Affected products

376

Patches

Vulnerability mechanics

References

12

News mentions

0

No linked articles in our index yet.