Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
References
Link | Resource |
---|---|
https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200 | Third Party Advisory |
https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be | Patch Third Party Advisory |
https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1 | Release Notes Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/ | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/ | |
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/ | Exploit Patch Technical Description Vendor Advisory |
https://pyup.io/vulnerabilities/CVE-2022-40897/52495/ | Third Party Advisory |
https://security.netapp.com/advisory/ntap-20230214-0001/ |
Configurations
History
07 Nov 2023, 03:52
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
08 Aug 2023, 14:22
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-1333 |
01 May 2023, 06:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
14 Feb 2023, 13:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
06 Jan 2023, 18:34
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.9 |
30 Dec 2022, 21:45
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
CWE | NVD-CWE-Other | |
References | (MISC) https://pyup.io/vulnerabilities/CVE-2022-40897/52495/ - Third Party Advisory | |
References | (MISC) https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200 - Third Party Advisory | |
References | (MISC) https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/ - Exploit, Patch, Technical Description, Vendor Advisory | |
References | (CONFIRM) https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1 - Release Notes, Third Party Advisory | |
References | (MISC) https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be - Patch, Third Party Advisory | |
First Time |
Python setuptools
Python |
|
CPE | cpe:2.3:a:python:setuptools:*:*:*:*:*:*:*:* |
27 Dec 2022, 08:15
Type | Values Removed | Values Added |
---|---|---|
Summary | Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. | |
References |
|
23 Dec 2022, 00:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-12-23 00:15
Updated : 2023-12-10 14:48
NVD link : CVE-2022-40897
Mitre link : CVE-2022-40897
CVE.ORG link : CVE-2022-40897
JSON object : View
Products Affected
python
- setuptools
CWE