{"id":"PYSEC-2023-45","details":"redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner. The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3; however, CVE-2023-28859 is a separate vulnerability.","aliases":["CVE-2023-28858","GHSA-24wv-mv5m-xv4h"],"modified":"2023-11-08T04:12:15.374587Z","published":"2023-03-26T19:15:00Z","references":[{"type":"WEB","url":"https://github.com/redis/redis-py/compare/v4.3.5...v4.3.6"},{"type":"WEB","url":"https://github.com/redis/redis-py/pull/2641"},{"type":"ARTICLE","url":"https://openai.com/blog/march-20-chatgpt-outage"},{"type":"REPORT","url":"https://github.com/redis/redis-py/issues/2624"},{"type":"WEB","url":"https://github.com/redis/redis-py/compare/v4.4.2...v4.4.3"},{"type":"WEB","url":"https://github.com/redis/redis-py/compare/v4.5.2...v4.5.3"}],"affected":[{"package":{"name":"redis","ecosystem":"PyPI","purl":"pkg:pypi/redis"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.2.0"},{"fixed":"4.3.6"},{"introduced":"4.4.0"},{"fixed":"4.4.3"},{"introduced":"4.5.0"},{"fixed":"4.5.3"}]}],"versions":["4.2.0","4.2.1","4.2.2","4.3.0","4.3.1","4.3.2","4.3.3","4.3.4","4.3.5","4.4.0","4.4.1","4.4.2","4.5.0","4.5.1","4.5.2"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/redis/PYSEC-2023-45.yaml"}}],"schema_version":"1.7.3"}