Skip to main content

Incomplete Cleanup

CVE-2023-28859

Severity Medium
Score 6.5/10

Summary

The redis-py versions 4.3.6, 4.4.3, 4.5.3, and 5.0.0b1 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • LOW
  • HIGH
  • NONE

CWE-459 - Incomplete Cleanup

The software does not properly "clean up" and remove temporary or supporting resources after they have been used.

Advisory Timeline

  • Published