CVE-2023-28858: Unintended Data Leakage in redis-py Prior to Version 4.5.3

A new security vulnerability with the identifier CVE-2023-28858 has been discovered in the popular python Redis library, redis-py. The vulnerability is known to affect versions before 4.5.3, causing unintended data leakage across AsyncIO connections. This issue has been reported to affect the functionality of open-source AI language model, ChatGPT. Let's dive into the details of the vulnerability, its potential impact, and the steps required to remediate.

Details

The vulnerability has been identified in the redis-py library, occurring when an async Redis command is canceled at an inopportune time, leaving a connection open. As a result, response data may be sent to the client of an unrelated request in an off-by-one manner, causing unexpected behavior and potential leakage of sensitive data between connections.

The vulnerability affects one of the most popular Redis python libraries – redis-py – up until versions 4.3.6, 4.4.3, and 4.5.3. However, it's crucial to mention CVE-2023-28859, which addresses the data leakage issue in general across AsyncIO connections.

Code Snippet Demonstrating the Vulnerability

import asyncio
from aioredis import create_redis_pool, Channel

async def main(loop):
    redis = await create_redis_pool(('localhost', 6379), loop=loop)

    channel = Channel('foo', is_pattern=False)

    asyncio.ensure_future(redis.subscribe(channel))

    # Cancel the async command at an inopportune time
    async for message in channel.iter(encoding='utf-8'):
        redis.close()
        await redis.wait_closed()
        break

Original References

To find more details regarding the vulnerability and original references to the source, please follow the links below:
- redis-py Official Repository
- redis-py AsyncIO Library
- CVE-2023-28859 AsyncIO Connections Data Leakage Issue

Exploit Details

An attacker may exploit this vulnerability by sending malicious commands to a Redis server using the redis-py library in order to cancel async operations at unexpected times. This could lead to the exposure of sensitive and unrelated data between users, which might compromise the privacy and security of the system in use.

Resolution

To address this vulnerability, users should update their redis-py library versions to 4.3.6, 4.4.3, or 4.5.3 and monitor for any advisory regarding CVE-2023-28859 which tackles AsyncIO connection data leakage in general.

In conclusion, it is essential to remain vigilant regarding the usage of the redis-py library and always keep it up-to-date in order to minimize potential risks. Additionally, ensure to keep an eye on the security advisories and updates regarding the CVE-2023-28859, which may provide further guidance on mitigating potential data leakage issues.

Timeline

Published on: 03/26/2023 19:15:00 UTC
Last modified on: 05/17/2023 17:07:00 UTC