Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-28858

Опубликовано: 26 мар. 2023
Источник: redhat
CVSS3: 4.3
EPSS Низкий

Описание

redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT, and 4.3.6, 4.4.3, and 4.5.3 were released (changing the behavior for pipeline operations); however, please see CVE-2023-28859 about addressing data leakage across AsyncIO connections in general.

A flaw was found in Redis redis-py. This flaw allows a remote, authenticated attacker to obtain sensitive information caused by an issue with leaving a connection open after canceling an async Redis command at an inopportune time. By sending a specially crafted request, an attacker can obtain sensitive information and use this information to launch further attacks against the affected system.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ansible Automation Platform 1.2ansible-towerWill not fix
Red Hat OpenStack Platform 13 (Queens)redisOut of support scope
Red Hat Quay 3quay/quay-rhel8Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=2182057redis: Async command information disclosure

EPSS

Процентиль: 82%
0.01782
Низкий

4.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2023-28858

CVSS3: 3.7
ubuntu
около 2 лет назад

redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT, and 4.3.6, 4.4.3, and 4.5.3 were released (changing the behavior for pipeline operations); however, please see CVE-2023-28859 about addressing data leakage across AsyncIO connections in general.

nvd логотип

CVE-2023-28858

CVSS3: 3.7
nvd
около 2 лет назад

redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT, and 4.3.6, 4.4.3, and 4.5.3 were released (changing the behavior for pipeline operations); however, please see CVE-2023-28859 about addressing data leakage across AsyncIO connections in general.

debian логотип

CVE-2023-28858

CVSS3: 3.7
debian
около 2 лет назад

redis-py before 4.5.3 leaves a connection open after canceling an asyn ...

github логотип

GHSA-24wv-mv5m-xv4h

CVSS3: 3.7
github
около 2 лет назад

redis-py Race Condition vulnerability

fstec логотип

BDU:2023-01831

CVSS3: 4.3
fstec
около 2 лет назад

Уязвимость библиотеки Python для Redis redis-py, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 82%
0.01782
Низкий

4.3 Medium

CVSS3