CVE-2023-28859: 
Python vulnerability analysis and mitigation

Redis-py versions before 4.4.4 and 4.5.x before 4.5.4 contain a vulnerability where canceling an async Redis command at an inopportune time leaves a connection open and can potentially send response data to the client of an unrelated request. This vulnerability was discovered in March 2023 and affects both pipeline and non-pipeline operations (NVD).

The vulnerability stems from an incomplete cleanup process when async Redis commands are canceled. When an async command is canceled at a specific timing, the connection remains open in an unsafe state, potentially leading to response data being sent to unrelated client requests. The issue has a CVSS v3.1 Base Score of 6.5 (MEDIUM) with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-459 (Incomplete Cleanup) (NVD).

The vulnerability can result in data leakage across AsyncIO connections, where response data from one request might be sent to an unrelated client. This poses a significant security risk as it could lead to unauthorized access to sensitive information between different client requests (Redis Issue).

The issue has been fixed in redis-py versions 4.4.4 and 4.5.4. The solution involves implementing proper handling of canceled async futures and addressing data leakage across AsyncIO connections. Users are strongly advised to upgrade to these versions or later to mitigate the vulnerability (Redis Release, Redis Release).

The vulnerability gained attention in the Redis community, particularly due to its potential impact on async operations. The fix was implemented through multiple pull requests and underwent significant community review and testing to ensure comprehensive coverage of all async operation patterns, including async pipeline, pubsub, sentinel, and cluster operations (Redis PR).