CVE-2023-28859

Опубликовано: 26 мар. 2023

Источник: redhat

CVSS3: 4.3

EPSS Низкий

Описание

redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.

A flaw was found in Redis redis-py. This flaw allows a remote, authenticated attacker to obtain sensitive information caused by an issue with leaving a connection open after canceling an async Redis command at an inopportune time. By sending a specially crafted request, an attacker can obtain sensitive information and use this information to launch further attacks against the affected system.

Затронутые пакеты

Платформа	Пакет	Состояние
Red Hat Ansible Automation Platform 1.2	ansible-tower	Will not fix
Red Hat OpenStack Platform 13 (Queens)	redis	Out of support scope
Red Hat Quay 3	quay/quay-rhel8	Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-200

https://bugzilla.redhat.com/show_bug.cgi?id=2182058redis: Async command information disclosure

EPSS

Процентиль: 71%

0.00698

Низкий

4.3 Medium

CVSS3

Связанные уязвимости

CVE-2023-28859

CVSS3: 6.5

ubuntu

около 2 лет назад

CVE-2023-28859

CVSS3: 6.5

nvd

около 2 лет назад

CVE-2023-28859

CVSS3: 6.5

debian

около 2 лет назад

redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open ...

GHSA-8fww-64cx-x8p5

CVSS3: 6.5

github

около 2 лет назад

redis-py Race Condition due to incomplete fix

BDU:2023-01832

CVSS3: 4.3

fstec

около 2 лет назад

Уязвимость библиотеки Python для Redis redis-py, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 71%

0.00698

Низкий

4.3 Medium

CVSS3