vulnerability
FreeBSD: VID-3f6d6181-79b2-4d33-bb1e-5d3f9df0c1d1 (CVE-2023-28858): py39-redis -- can send response data to the client of an unrelated request
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:P/I:N/A:N) | Apr 9, 2023 | Apr 14, 2023 | Dec 10, 2025 |
Severity
4
CVSS
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
Published
Apr 9, 2023
Added
Apr 14, 2023
Modified
Dec 10, 2025
Description
drago-balto reports: redis-py before 4.5.3, as used in ChatGPT and other products, leaves a connection open after canceling an async Redis command at an inopportune time (in the case of a pipeline operation), and can send response data to the client of an unrelated request in an off-by-one manner. The fixed versions for this CVE Record are 4.3.6, 4.4.3, and 4.5.3, but [are believed to be incomplete](https://github.com/redis/redis-py/issues/2665). CVE-2023-28859 has been assigned the issues caused by the incomplete fixes.
Solution
freebsd-upgrade-package-py39-redis
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.