CVE-2023-28858

Advisory

An Off-by-one flaw was found in Redis. Affected versions leave a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner.
NOTE: this CVE Record was initially created in response to reports about ChatGPT, however, please see CVE-2023-28859 about addressing data leakage across AsyncIO connections in general.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://pypi.org/project/redis
• https://pyup.io/changelogs/redis/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28858
• https://github.com/redis/redis-py/compare/v4.3.5...v4.3.6
• https://github.com/redis/redis-py/pull/2641
• https://openai.com/blog/march-20-chatgpt-outage
• https://github.com/redis/redis-py/issues/2624
• https://github.com/redis/redis-py/compare/v4.4.2...v4.4.3
• https://github.com/redis/redis-py/compare/v4.5.2...v4.5.3