CVE-2023-28859
Connection Handling vulnerability in redis (PyPI)
What is CVE-2023-28859 About?
This vulnerability in `redis-py` results from an incomplete fix for a previous issue, where cancelling an async Redis command (non-pipeline) leaves a connection open. This can cause response data to be misdirected to an unintended client, leading to information leakage. Exploitation is difficult due to the timing requirements.
Affected Software
- redis
- >4.5.0, <4.5.4
- >4.2.0, <4.4.4
Technical Details
This vulnerability is a consequence of an incomplete fix for CVE-2023-28858 and affects redis-py through versions 4.5.3 and 4.4.3. Specifically, when an asynchronous Redis command that is not part of a pipeline operation is canceled, the underlying connection is not properly managed or closed. This improper state can cause subsequent response data, which is logically intended for another client's request using the same connection, to be inadvertently delivered to the client that previously canceled its command. The core mechanism involves a desynchronization between the client's expected state and the actual state of the connection's response buffer, leading to cross-client information disclosure.
What is the Impact of CVE-2023-28859?
Successful exploitation may allow attackers to receive sensitive data intended for other users, disrupt application logic by receiving malformed or irrelevant responses, or cause session confusion within affected systems.
What is the Exploitability of CVE-2023-28859?
Exploitation of this vulnerability is likely high complexity, similar to its predecessor CVE-2023-28858, but potentially more nuanced as it relates to non-pipeline commands. Attackers would need to precisely time the cancellation of an asynchronous Redis command and then coordinate this with another client's request to intercept its response. Prior network access to the Redis server or an application utilizing redis-py is required. There are no authentication or specific privilege requirements beyond the ability to issue Redis commands. The vulnerability is remote. The primary risk factors are applications using redis-py with async operations, especially if they frequently cancel ongoing commands without robust connection management and error handling.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-28859?
Available Upgrade Options
- redis
- >4.2.0, <4.4.4 → Upgrade to 4.4.4
- redis
- >4.5.0, <4.5.4 → Upgrade to 4.5.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/redis/redis-py/releases/tag/v4.4.4
- https://github.com/redis/redis-py/pull/2641
- https://github.com/redis/redis-py/pull/2671
- https://osv.dev/vulnerability/GHSA-8fww-64cx-x8p5
- https://github.com/redis/redis-py/pull/1899
- https://github.com/redis/redis-py/releases/tag/v4.4.4
- https://github.com/redis/redis-py/issues/2665
- https://github.com/redis/redis-py/releases/tag/v4.5.4
- https://github.com/redis/redis-py/commit/b3c89acd0ffe8303649ad8207bc911b1d6a033eb
- https://github.com/redis/redis-py/issues/2665
What are Similar Vulnerabilities to CVE-2023-28859?
Similar Vulnerabilities: CVE-2023-28858 , CVE-2022-24765 , CVE-2021-39144 , CVE-2019-10086 , CVE-2018-1000656
