{"data":{"id":"ac8a22a8-c4e1-4f09-8c7e-8ab1d5ae7be6","title":"CVE-2023-28858: redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can se","summary":"CVE-2023-28858 is a bug in redis-py (a Python library for connecting to Redis databases) versions before 4.5.3 where canceling an async command at the wrong moment leaves a connection open and can accidentally send response data from one request to a completely different client, due to an off-by-one error (miscounting by one position in the data stream).","solution":"Update redis-py to version 4.3.6, 4.4.3, or 4.5.3 or later. The patches are available in the official repository at https://github.com/redis/redis-py/ for each version.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2023-28858","publishedAt":"2023-03-26T23:15:06.780Z","cveId":"CVE-2023-28858","cweIds":["CWE-193"],"cvssScore":"3.7","cvssSeverity":"low","severity":"low","attackType":["pii_leakage"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["OpenAI"],"affectedVendorsRaw":["ChatGPT","redis-py"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.01488,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality"],"aiComponentTargeted":"inference","llmSpecific":true,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}