Miggo Logo
Miggo Vulnerability Database
CVE-2023-28859

CVE-2023-28859: redis-py Race Condition due to incomplete fix

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-28859
GHSA ID
GHSA-8fww-64cx-x8p5
EPSS Score
0.71029%
CWE
CWE-459
Published
3/26/2023
Updated
10/25/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
redispip>= 4.5.0, < 4.5.44.5.4
redispip>= 4.2.0, < 4.4.44.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from incomplete cleanup during async command cancellation. The commit diff shows critical changes in client.py and cluster.py where asyncio.shield was added to protect against premature cancellation, and explicit CancelledError handling was implemented to disconnect lingering connections. These functions directly manage command execution lifecycle and were the focus of the patch, making them the clear vulnerable points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

r**is-py t*rou** *.*.* *n* *.*.* l**v*s * *onn**tion op*n **t*r **n**lin* *n *syn* R**is *omm*n* *t *n inopportun* tim* (in t** **s* o* * non-pip*lin* op*r*tion), *n* **n s*n* r*spons* **t* to t** *li*nt o* *n unr*l*t** r*qu*st. NOT*: t*is issu* *xis

Reasoning

T** vuln*r**ility st*ms *rom in*ompl*t* *l**nup *urin* *syn* *omm*n* **n**ll*tion. T** *ommit *i** s*ows *riti**l ***n**s in `*li*nt.py` *n* `*lust*r.py` w**r* `*syn*io.s*i*l*` w*s ***** to prot**t ***inst pr*m*tur* **n**ll*tion, *n* *xpli*it `**n**l