CVE-2023-28859 – This vulnerability in redis-py allows data leak... (How to Fix)

Q: How do I fix CVE-2023-28859?

1. Identify redis-py version in your environment. 2. Upgrade to redis-py 4.4.4 or 4.5.4 using pip: 'pip install redis>=4.4.4' or 'pip install redis>=4.5.4'. 3. Restart all applications using redis-py. 4. Verify the upgrade was successful.

Q: What is the severity of CVE-2023-28859?

CVE-2023-28859 has a CVSS score of 6.5 (MEDIUM). This vulnerability in redis-py allows data leakage across AsyncIO connections when async Redis commands are canceled at specific times. It affects applications using redis-py's async functionality, potentially exposing sensitive Redis data to unauthorized clients. The issue impacts both developers and end-users of affected applications.

📋 TL;DR

This vulnerability in redis-py allows data leakage across AsyncIO connections when async Redis commands are canceled at specific times. It affects applications using redis-py's async functionality, potentially exposing sensitive Redis data to unauthorized clients. The issue impacts both developers and end-users of affected applications.

💻 Affected Systems

Products:

redis-py

Versions: redis-py < 4.4.4 and 4.5.x < 4.5.4

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects async operations using AsyncIO connections. Synchronous operations and non-async configurations are not vulnerable.

📦 What is this software?

Redis Py by Redis

View all CVEs affecting Redis Py →

Redis Py by Redis

View all CVEs affecting Redis Py →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive Redis data (including authentication tokens, user data, or configuration secrets) could be exposed to unauthorized clients, leading to data breaches or privilege escalation.

🟠

Likely Case

Intermittent data leakage where response data from one client's request is sent to another client, potentially exposing non-sensitive operational data.

🟢

If Mitigated

With proper network segmentation and Redis authentication, impact is limited to data within the same security zone, though confidentiality may still be compromised.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires timing conditions when canceling async commands, making reliable exploitation challenging but possible in controlled environments.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.4 or 4.5.4

Vendor Advisory: https://github.com/redis/redis-py/releases/tag/v4.4.4

Restart Required: Yes

Instructions:

1. Identify redis-py version in your environment. 2. Upgrade to redis-py 4.4.4 or 4.5.4 using pip: 'pip install redis>=4.4.4' or 'pip install redis>=4.5.4'. 3. Restart all applications using redis-py. 4. Verify the upgrade was successful.

🔧 Temporary Workarounds

Disable Async Operations

all

Temporarily switch to synchronous Redis operations if async functionality is not required

Modify code to use synchronous Redis client instead of async client

Network Segmentation

all

Isolate Redis instances from untrusted networks to limit exposure

Configure firewall rules to restrict Redis port (default 6379) access

🧯 If You Can't Patch

Implement strict Redis authentication and access controls
Monitor Redis connections for unusual patterns and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check redis-py version in Python environment: 'python -c "import redis; print(redis.__version__)"'

Check Version:

python -c "import redis; print('redis-py version:', redis.__version__)"

Verify Fix Applied:

After upgrade, verify version is 4.4.4 or higher (or 4.5.4 or higher for 4.5.x series)

📡 Detection & Monitoring

Log Indicators:

Unexpected connection resets in Redis logs
Multiple async command cancellations in short timeframes

Network Indicators:

Unusual response patterns in Redis traffic
Data responses sent to unexpected client IPs

SIEM Query:

source="redis.log" AND ("connection reset" OR "async cancel") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2023-28859

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-459

Published: March 26, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/redis/redis-py/issues/2665 Issue Tracking,Patch,Vendor Advisory
https://github.com/redis/redis-py/pull/2641 Issue Tracking,Patch
https://github.com/redis/redis-py/pull/2666 Release Notes
https://github.com/redis/redis-py/releases/tag/v4.4.4 Release Notes
https://github.com/redis/redis-py/releases/tag/v4.5.4 Release Notes
https://github.com/redis/redis-py/issues/2665 Issue Tracking,Patch,Vendor Advisory
https://github.com/redis/redis-py/pull/2641 Issue Tracking,Patch
https://github.com/redis/redis-py/pull/2666 Release Notes
https://github.com/redis/redis-py/releases/tag/v4.4.4 Release Notes
https://github.com/redis/redis-py/releases/tag/v4.5.4 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-28859, you might also want to check these: