{"id":"PYSEC-2023-46","details":"redis-py through 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a non-pipeline operation), and can send response data to the client of an unrelated request. NOTE: this issue exists because of an incomplete fix for CVE-2023-28858.","aliases":["CVE-2023-28859","GHSA-8fww-64cx-x8p5"],"modified":"2023-11-08T04:12:15.434725Z","published":"2023-03-26T19:15:00Z","references":[{"type":"WEB","url":"https://github.com/redis/redis-py/pull/2641"},{"type":"REPORT","url":"https://github.com/redis/redis-py/issues/2665"}],"affected":[{"package":{"name":"redis","ecosystem":"PyPI","purl":"pkg:pypi/redis"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"4.2.0"},{"fixed":"4.4.4"},{"introduced":"4.5.0"},{"fixed":"4.5.4"}]}],"versions":["4.2.0","4.2.1","4.2.2","4.3.0","4.3.1","4.3.2","4.3.3","4.3.4","4.3.5","4.3.6","4.4.0","4.4.0rc1","4.4.0rc2","4.4.0rc3","4.4.0rc4","4.4.1","4.4.2","4.4.3","4.5.0","4.5.1","4.5.2","4.5.3"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/redis/PYSEC-2023-46.yaml"}}],"schema_version":"1.7.3"}