2182058 – (CVE-2023-28859) CVE-2023-28859 redis: Async command information disclosure

Bug 2182058 (CVE-2023-28859) - CVE-2023-28859 redis: Async command information disclosure

Summary: CVE-2023-28859 redis: Async command information disclosure

Keywords:
Status:	NEW
Alias:	CVE-2023-28859
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2183503 2221860
Blocks:	2182047
TreeView+	depends on / blocked

Reported:	2023-03-27 12:37 UTC by Avinash Hanwate
Modified:	2025-06-17 08:28 UTC (History)
CC List:	26 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2023-03-27 12:37:40 UTC

redis-py through 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.

https://github.com/redis/redis-py/pull/2641
https://github.com/redis/redis-py/issues/2665

Comment 4 Avinash Hanwate 2023-07-11 06:08:26 UTC

Created pymodbus tracking bugs for this issue:

Affects: fedora-all [bug 2221860]

Note You need to log in before you can comment on or make changes to this bug.

adudiak
apevec
bdettelb
cwelton
eglynn
epacific
jcammara
jhardy
jjoyce
jneedle
jobarker
kshier
lhh
mabashia
mburns
mgarciac
nathans
rhos-maint
simaishi
smcdonal
spower
stcannon
teagle
tfister
yguenane
zsadeh