CVE-2023-28858
Connection Handling vulnerability in redis (PyPI)
What is CVE-2023-28858 About?
This vulnerability involves improper connection handling in `redis-py` when async Redis commands are canceled during a pipeline operation. It can lead to response data being sent to an unintended client, potentially causing information leakage or session confusion. Exploitation requires specific timing and command cancellation, making it moderately difficult.
Affected Software
- redis
- >4.5.0, <4.5.3
- >4.2.0, <4.3.6
- >4.4.0, <4.4.3
Technical Details
The vulnerability occurs in redis-py versions prior to 4.5.3, 4.3.6, and 4.4.3. When an asynchronous Redis command, specifically part of a pipeline operation, is canceled at an inopportune moment, the connection may remain open in an inconsistent state. This improper state management causes response data intended for one client's request to be misdirected and delivered to an unrelated client, due to an off-by-one error in how responses are associated with requests. This can lead to clients receiving unexpected and potentially sensitive information belonging to other active connections.
What is the Impact of CVE-2023-28858?
Successful exploitation may allow attackers to receive sensitive data intended for other users, disrupt application logic by receiving malformed or irrelevant responses, or cause session confusion within affected systems.
What is the Exploitability of CVE-2023-28858?
Exploitation of this vulnerability is likely complex, requiring precise timing and manipulation of asynchronous Redis command cancellations within a pipeline. Attackers would need to understand the internal state machine of redis-py's connection handling as well as the application's use of async Redis operations. It requires prior network access to the Redis server or an application that interacts with it. There are no authentication or specific privilege requirements beyond the ability to issue Redis commands. The primary risk factor involves applications heavily relying on redis-py for asynchronous operations, especially those with high concurrency or specific patterns of command cancellation, coupled with a lack of robust error handling for unexpected responses.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-28858?
Available Upgrade Options
- redis
- >4.2.0, <4.3.6 → Upgrade to 4.3.6
- redis
- >4.4.0, <4.4.3 → Upgrade to 4.4.3
- redis
- >4.5.0, <4.5.3 → Upgrade to 4.5.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/redis/redis-py/compare/v4.5.2...v4.5.3
- https://github.com/pypa/advisory-database/tree/main/vulns/redis/PYSEC-2023-45.yaml
- https://osv.dev/vulnerability/GHSA-24wv-mv5m-xv4h
- https://github.com/redis/redis-py/compare/v4.4.2...v4.4.3
- https://github.com/redis/redis-py/compare/v4.4.2...v4.4.3
- https://github.com/redis/redis-py/releases/tag/v4.4.4
- https://openai.com/blog/march-20-chatgpt-outage
- https://openai.com/blog/march-20-chatgpt-outage
- https://github.com/redis/redis-py
- https://nvd.nist.gov/vuln/detail/CVE-2023-28858
What are Similar Vulnerabilities to CVE-2023-28858?
Similar Vulnerabilities: CVE-2023-28859 , CVE-2020-13936 , CVE-2021-32750 , CVE-2018-1000656 , CVE-2019-10086
