pysec-2022-43012
Vulnerability from pysec
Published
2022-12-23 00:15
Modified
2023-05-04 04:29
Details
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
Aliases
{ "affected": [ { "package": { "ecosystem": "PyPI", "name": "setuptools", "purl": "pkg:pypi/setuptools" }, "ranges": [ { "events": [ { "introduced": "0" }, { "fixed": "43a9c9bfa6aa626ec2a22540bea28d2ca77964be" } ], "repo": "https://github.com/pypa/setuptools", "type": "GIT" }, { "events": [ { "introduced": "0" }, { "fixed": "65.5.1" } ], "type": "ECOSYSTEM" } ], "versions": [ "0.6b1", "0.6b2", "0.6b3", "0.6b4", "0.6c1", "0.6c10", "0.6c11", "0.6c2", "0.6c3", "0.6c4", "0.6c5", "0.6c6", "0.6c7", "0.6c8", "0.6c9", "0.7.2", "0.7.3", "0.7.4", "0.7.5", "0.7.6", "0.7.7", "0.7.8", "0.8", "0.9", "0.9.1", "0.9.2", "0.9.3", "0.9.4", "0.9.5", "0.9.6", "0.9.7", "0.9.8", "1.0", "1.1", "1.1.1", "1.1.2", "1.1.3", "1.1.4", "1.1.5", "1.1.6", "1.1.7", "1.2", "1.3", "1.3.1", "1.3.2", "1.4", "1.4.1", "1.4.2", "10.0", "10.0.1", "10.1", "10.2", "10.2.1", "11.0", "11.1", "11.2", "11.3", "11.3.1", "12.0", "12.0.1", "12.0.2", "12.0.3", "12.0.4", "12.0.5", "12.1", "12.2", "12.3", "12.4", "13.0", "13.0.1", "13.0.2", "14.0", "14.1", "14.1.1", "14.2", "14.3", "14.3.1", "15.0", "15.1", "15.2", "16.0", "17.0", "17.1", "17.1.1", "18.0", "18.0.1", "18.1", "18.2", "18.3", "18.3.1", "18.3.2", "18.4", "18.5", "18.6", "18.6.1", "18.7", "18.7.1", "18.8", "18.8.1", "19.0", "19.1", "19.1.1", "19.2", "19.3", "19.4", "19.4.1", "19.5", "19.6", "19.6.1", "19.6.2", "19.7", "2.0", "2.0.1", "2.0.2", "2.1", "2.1.1", "2.1.2", "2.2", "20.0", "20.1", "20.1.1", "20.10.1", "20.2.2", "20.3", "20.3.1", "20.4", "20.6.6", "20.6.7", "20.6.8", "20.7.0", "20.8.0", "20.8.1", "20.9.0", "21.0.0", "21.1.0", "21.2.0", "21.2.1", "21.2.2", "22.0.0", "22.0.1", "22.0.2", "22.0.4", "22.0.5", "23.0.0", "23.1.0", "23.2.0", "23.2.1", "24.0.0", "24.0.1", "24.0.2", "24.0.3", "24.1.0", "24.1.1", "24.2.0", "24.2.1", "24.3.0", "24.3.1", "25.0.0", "25.0.1", "25.0.2", "25.1.0", "25.1.1", "25.1.2", "25.1.3", "25.1.4", "25.1.5", "25.1.6", "25.2.0", "25.3.0", "25.4.0", "26.0.0", "26.1.0", "26.1.1", "27.0.0", "27.1.0", "27.1.2", "27.2.0", "27.3.0", "27.3.1", "28.0.0", "28.1.0", "28.2.0", "28.3.0", "28.4.0", "28.5.0", "28.6.0", "28.6.1", "28.7.0", "28.7.1", "28.8.0", "28.8.1", "29.0.0", "29.0.1", "3.0", "3.0.1", "3.0.2", "3.1", "3.2", "3.3", "3.4", "3.4.1", "3.4.2", "3.4.3", "3.4.4", "3.5", "3.5.1", "3.5.2", "3.6", "3.7", "3.7.1", "3.8", "3.8.1", "30.0.0", "30.1.0", "30.2.0", "30.2.1", "30.3.0", "30.4.0", "31.0.0", "31.0.1", "32.0.0", "32.1.0", "32.1.1", "32.1.2", "32.1.3", "32.2.0", "32.3.0", "32.3.1", "33.1.0", "33.1.1", "34.0.0", "34.0.1", "34.0.2", "34.0.3", "34.1.0", "34.1.1", "34.2.0", "34.3.0", "34.3.1", "34.3.2", "34.3.3", "34.4.0", "34.4.1", "35.0.0", "35.0.1", "35.0.2", "36.0.1", "36.1.0", "36.1.1", "36.2.0", "36.2.1", "36.2.2", "36.2.3", "36.2.4", "36.2.5", "36.2.6", "36.2.7", "36.3.0", "36.4.0", "36.5.0", "36.6.0", "36.6.1", "36.7.0", "36.7.1", "36.7.2", "36.8.0", "37.0.0", "38.0.0", "38.1.0", "38.2.0", "38.2.1", "38.2.3", "38.2.4", "38.2.5", "38.3.0", "38.4.0", "38.4.1", "38.5.0", "38.5.1", "38.5.2", "38.6.0", "38.6.1", "38.7.0", "39.0.0", "39.0.1", "39.1.0", "39.2.0", "4.0", "4.0.1", "40.0.0", "40.1.0", "40.1.1", "40.2.0", "40.3.0", "40.4.0", "40.4.1", "40.4.2", "40.4.3", "40.5.0", "40.6.0", "40.6.1", "40.6.2", "40.6.3", "40.7.0", "40.7.1", "40.7.2", "40.7.3", "40.8.0", "40.9.0", "41.0.0", "41.0.1", "41.1.0", "41.2.0", "41.3.0", "41.4.0", "41.5.0", "41.5.1", "41.6.0", "42.0.0", "42.0.1", "42.0.2", "43.0.0", "44.0.0", "44.1.0", "44.1.1", "45.0.0", "45.1.0", "45.2.0", "45.3.0", "46.0.0", "46.1.0", "46.1.1", "46.1.2", "46.1.3", "46.2.0", "46.3.0", "46.3.1", "46.4.0", "47.0.0", "47.1.0", "47.1.1", "47.2.0", "47.3.0", "47.3.1", "47.3.2", "48.0.0", "49.0.0", "49.0.1", "49.1.0", "49.1.1", "49.1.2", "49.1.3", "49.2.0", "49.2.1", "49.3.0", "49.3.1", "49.3.2", "49.4.0", "49.5.0", "49.6.0", "5.0", "5.0.1", "5.0.2", "5.1", "5.2", "5.3", "5.4", "5.4.1", "5.4.2", "5.5", "5.5.1", "5.6", "5.7", "5.8", "50.0.0", "50.0.1", "50.0.2", "50.0.3", "50.1.0", "50.2.0", "50.3.0", "50.3.1", "50.3.2", "51.0.0", "51.1.0", "51.1.0.post20201221", "51.1.1", "51.1.2", "51.2.0", "51.3.0", "51.3.1", "51.3.2", "51.3.3", "52.0.0", "53.0.0", "53.1.0", "54.0.0", "54.1.0", "54.1.1", "54.1.2", "54.1.3", "54.2.0", "56.0.0", "56.1.0", "56.2.0", "57.0.0", "57.1.0", "57.2.0", "57.3.0", "57.4.0", "57.5.0", "58.0.0", "58.0.1", "58.0.2", "58.0.3", "58.0.4", "58.1.0", "58.2.0", "58.3.0", "58.4.0", "58.5.0", "58.5.1", "58.5.2", "58.5.3", "59.0.1", "59.1.0", "59.1.1", "59.2.0", "59.3.0", "59.4.0", "59.5.0", "59.6.0", "59.7.0", "59.8.0", "6.0.1", "6.0.2", "6.1", "60.0.0", "60.0.1", "60.0.2", "60.0.3", "60.0.4", "60.0.5", "60.1.0", "60.1.1", "60.10.0", "60.2.0", "60.3.0", "60.3.1", "60.4.0", "60.5.0", "60.6.0", "60.7.0", "60.7.1", "60.8.0", "60.8.1", "60.8.2", "60.9.0", "60.9.1", "60.9.2", "60.9.3", "61.0.0", "61.1.0", "61.1.1", "61.2.0", "61.3.0", "61.3.1", "62.0.0", "62.1.0", "62.2.0", "62.3.0", "62.3.1", "62.3.2", "62.3.3", "62.3.4", "62.4.0", "62.5.0", "62.6.0", "63.0.0", "63.0.0b1", "63.1.0", "63.2.0", "63.3.0", "63.4.0", "63.4.1", "63.4.2", "63.4.3", "64.0.0", "64.0.1", "64.0.2", "64.0.3", "65.0.0", "65.0.1", "65.0.2", "65.1.0", "65.1.1", "65.2.0", "65.3.0", "65.4.0", "65.4.1", "65.5.0", "7.0", "8.0", "8.0.1", "8.0.2", "8.0.3", "8.0.4", "8.1", "8.2", "8.2.1", "8.3", "9.0", "9.0.1", "9.1" ] } ], "aliases": [ "CVE-2022-40897" ], "details": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.", "id": "PYSEC-2022-43012", "modified": "2023-05-04T04:29:29.797493Z", "published": "2022-12-23T00:15:00Z", "references": [ { "type": "WEB", "url": "https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200" }, { "type": "WEB", "url": "https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/" }, { "type": "WEB", "url": "https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1" }, { "type": "FIX", "url": "https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be" }, { "type": "WEB", "url": "https://pyup.io/vulnerabilities/CVE-2022-40897/52495/" } ] }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.