cvedb.io
CVE-2023-28859
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2023-03-26T19:15:06.850 · Last modified 2026-06-17T05:48:55.987

Summary

redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.

Affected products

redis — redis-py

Does this affect you?

Add your gear to cvedb and we'll alert you only when redis ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.