摘要:
redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT, and 4.3.6, 4.4.3, and 4.5.3 were released (changing the behavior for pipeline operations); however, please see CVE-2023-28859 about addressing data leakage across AsyncIO connections in general.
安全等级: Low
公告ID: KylinSec-SA-2024-1578
发布日期: 2024年5月27日
关联CVE: CVE-2023-28858
redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT, and 4.3.6, 4.4.3, and 4.5.3 were released (changing the behavior for pipeline operations); however, please see CVE-2023-28859 about addressing data leakage across AsyncIO connections in general.
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|---|---|---|
| CVE-2023-28858 | KY3.4-4A | python-redis | Unaffected |
| CVE-2023-28858 | KY3.4-5A | python-redis | Unaffected |
| CVE-2023-28858 | KY3.5.1 | python-redis | Unaffected |
| CVE-2023-28858 | KY3.5.2 | python-redis | Unaffected |
| CVE-2023-28858 | V6 | python-redis | Unaffected |
