Incomplete Cleanup
CVE-2023-28859
Summary
The redis-py versions 4.3.6, 4.4.3, 4.5.3, and 5.0.0b1 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- LOW
- HIGH
- NONE
CWE-459 - Incomplete Cleanup
The software does not properly "clean up" and remove temporary or supporting resources after they have been used.
References
Advisory Timeline
- Published