A vulnerability has been discovered in the redis-py library, affecting versions before 4.4.4 and 4.5.x before 4.5.4. The vulnerability, dubbed CVE-2023-28859, exposes a data leakage issue across AsyncIO connections. This allows response data from a canceled async Redis command to be sent to a client, potentially compromising sensitive information.

This post aims to discuss the CVE in detail, provide code snippets to demonstrate the issue and the solution, and offer links to further resources and references. The target audience for this post is developers and DevOps engineers utilizing redis-py in their applications and platforms.

Vulnerability Details

The vulnerability occurs when an async Redis command is canceled at an inopportune time, leaving a connection open. Consequently, this allows response data to be sent to an unrelated client. For instance, this could happen for non-pipeline operations.

Here is a code snippet demonstrating the issue

import asyncio
from aioredis import create_redis_pool

async def main():
    # create Redis pool
    pool = await create_redis_pool('redis://localhost')

    # set 'key1' to 'value1' (example of a cancelled async Redis command)
    asyncio.ensure_future(pool.set('key1', 'value1'))

    # get the value of 'key2' (unrelated request)
    value = await pool.get('key2')

    # Note: the response data from pool.set('key1', 'value1') could be sent to this client
    print(f"Received value for key2: {value}")

asyncio.run(main())

Solution

This issue has been resolved in the latest versions of the redis-py library - 4.4.4 and 4.5.4. The solution provided addresses data leakage across AsyncIO connections in general. To fix this vulnerability, users should update their redis-py installations to the mentioned secure versions.

Here is a code snippet demonstrating the solution

# Before, the library left a connection open after canceling an async Redis command (assuming you have imported create_redis_pool)
async def main():
    pool = await create_redis_pool('redis://localhost')

    asyncio.ensure_future(pool.set('key1', 'value1'))
    value = await pool.get('key2')

    print(f"Received value for key2: {value}")

asyncio.run(main())

References

1. CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28859
2. Redis-py Documentation: https://redis-py.readthedocs.io/en/latest/index.html
3. Redis-py GitHub Repository: https://github.com/andymccurdy/redis-py

Conclusion

It is important to regularly update software libraries and dependencies to ensure the security of applications and platforms. The data leakage vulnerability described in this post can have severe consequences by exposing sensitive information to unauthorized clients. By updating the redis-py library to the latest secure versions (4.4.4 or 4.5.4), developers and DevOps engineers can mitigate the risks associated with CVE-2023-28859.

Timeline

Published on: 03/26/2023 19:15:00 UTC
Last modified on: 05/17/2023 17:08:00 UTC