redis-4.4.0-py3-none-any.whl: 2 vulnerabilities (highest severity is: 6.5)
mend-bolt-for-github opened this issue · comments
Vulnerable Library - redis-4.4.0-py3-none-any.whl
Python client for Redis database and key-value store
Library home page: https://files.pythonhosted.org/packages/ca/a5/0b77e6af5ba01270c2b269ea5b05cd7a1b248c713ab02e3e11d3eb4e39d7/redis-4.4.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (redis version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2023-28859 | Medium | 6.5 | redis-4.4.0-py3-none-any.whl | Direct | 4.4.4 | ❌ |
CVE-2023-28858 | Low | 3.7 | redis-4.4.0-py3-none-any.whl | Direct | 4.4.3 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-28859
Vulnerable Library - redis-4.4.0-py3-none-any.whl
Python client for Redis database and key-value store
Library home page: https://files.pythonhosted.org/packages/ca/a5/0b77e6af5ba01270c2b269ea5b05cd7a1b248c713ab02e3e11d3eb4e39d7/redis-4.4.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- ❌ redis-4.4.0-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
redis-py before 4.4.4 and 4.5.x before 4.5.4 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request. (This could, for example, happen for a non-pipeline operation.) NOTE: the solutions for CVE-2023-28859 address data leakage across AsyncIO connections in general.
Publish Date: 2023-03-26
URL: CVE-2023-28859
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-28859
Release Date: 2023-03-26
Fix Resolution: 4.4.4
Step up your Open Source Security Game with Mend here
CVE-2023-28858
Vulnerable Library - redis-4.4.0-py3-none-any.whl
Python client for Redis database and key-value store
Library home page: https://files.pythonhosted.org/packages/ca/a5/0b77e6af5ba01270c2b269ea5b05cd7a1b248c713ab02e3e11d3eb4e39d7/redis-4.4.0-py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy:
- ❌ redis-4.4.0-py3-none-any.whl (Vulnerable Library)
Found in base branch: main
Vulnerability Details
redis-py before 4.5.3 leaves a connection open after canceling an async Redis command at an inopportune time, and can send response data to the client of an unrelated request in an off-by-one manner. NOTE: this CVE Record was initially created in response to reports about ChatGPT, and 4.3.6, 4.4.3, and 4.5.3 were released (changing the behavior for pipeline operations); however, please see CVE-2023-28859 about addressing data leakage across AsyncIO connections in general.
Publish Date: 2023-03-26
URL: CVE-2023-28858
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2023-03-26
Fix Resolution: 4.4.3
Step up your Open Source Security Game with Mend here