pysec-2022-43012
Vulnerability from pysec
Published
2022-12-23 00:15
Modified
2023-05-04 04:29
Details

Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.

Aliases



{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "setuptools",
        "purl": "pkg:pypi/setuptools"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "43a9c9bfa6aa626ec2a22540bea28d2ca77964be"
            }
          ],
          "repo": "https://github.com/pypa/setuptools",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "65.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.6b1",
        "0.6b2",
        "0.6b3",
        "0.6b4",
        "0.6c1",
        "0.6c10",
        "0.6c11",
        "0.6c2",
        "0.6c3",
        "0.6c4",
        "0.6c5",
        "0.6c6",
        "0.6c7",
        "0.6c8",
        "0.6c9",
        "0.7.2",
        "0.7.3",
        "0.7.4",
        "0.7.5",
        "0.7.6",
        "0.7.7",
        "0.7.8",
        "0.8",
        "0.9",
        "0.9.1",
        "0.9.2",
        "0.9.3",
        "0.9.4",
        "0.9.5",
        "0.9.6",
        "0.9.7",
        "0.9.8",
        "1.0",
        "1.1",
        "1.1.1",
        "1.1.2",
        "1.1.3",
        "1.1.4",
        "1.1.5",
        "1.1.6",
        "1.1.7",
        "1.2",
        "1.3",
        "1.3.1",
        "1.3.2",
        "1.4",
        "1.4.1",
        "1.4.2",
        "10.0",
        "10.0.1",
        "10.1",
        "10.2",
        "10.2.1",
        "11.0",
        "11.1",
        "11.2",
        "11.3",
        "11.3.1",
        "12.0",
        "12.0.1",
        "12.0.2",
        "12.0.3",
        "12.0.4",
        "12.0.5",
        "12.1",
        "12.2",
        "12.3",
        "12.4",
        "13.0",
        "13.0.1",
        "13.0.2",
        "14.0",
        "14.1",
        "14.1.1",
        "14.2",
        "14.3",
        "14.3.1",
        "15.0",
        "15.1",
        "15.2",
        "16.0",
        "17.0",
        "17.1",
        "17.1.1",
        "18.0",
        "18.0.1",
        "18.1",
        "18.2",
        "18.3",
        "18.3.1",
        "18.3.2",
        "18.4",
        "18.5",
        "18.6",
        "18.6.1",
        "18.7",
        "18.7.1",
        "18.8",
        "18.8.1",
        "19.0",
        "19.1",
        "19.1.1",
        "19.2",
        "19.3",
        "19.4",
        "19.4.1",
        "19.5",
        "19.6",
        "19.6.1",
        "19.6.2",
        "19.7",
        "2.0",
        "2.0.1",
        "2.0.2",
        "2.1",
        "2.1.1",
        "2.1.2",
        "2.2",
        "20.0",
        "20.1",
        "20.1.1",
        "20.10.1",
        "20.2.2",
        "20.3",
        "20.3.1",
        "20.4",
        "20.6.6",
        "20.6.7",
        "20.6.8",
        "20.7.0",
        "20.8.0",
        "20.8.1",
        "20.9.0",
        "21.0.0",
        "21.1.0",
        "21.2.0",
        "21.2.1",
        "21.2.2",
        "22.0.0",
        "22.0.1",
        "22.0.2",
        "22.0.4",
        "22.0.5",
        "23.0.0",
        "23.1.0",
        "23.2.0",
        "23.2.1",
        "24.0.0",
        "24.0.1",
        "24.0.2",
        "24.0.3",
        "24.1.0",
        "24.1.1",
        "24.2.0",
        "24.2.1",
        "24.3.0",
        "24.3.1",
        "25.0.0",
        "25.0.1",
        "25.0.2",
        "25.1.0",
        "25.1.1",
        "25.1.2",
        "25.1.3",
        "25.1.4",
        "25.1.5",
        "25.1.6",
        "25.2.0",
        "25.3.0",
        "25.4.0",
        "26.0.0",
        "26.1.0",
        "26.1.1",
        "27.0.0",
        "27.1.0",
        "27.1.2",
        "27.2.0",
        "27.3.0",
        "27.3.1",
        "28.0.0",
        "28.1.0",
        "28.2.0",
        "28.3.0",
        "28.4.0",
        "28.5.0",
        "28.6.0",
        "28.6.1",
        "28.7.0",
        "28.7.1",
        "28.8.0",
        "28.8.1",
        "29.0.0",
        "29.0.1",
        "3.0",
        "3.0.1",
        "3.0.2",
        "3.1",
        "3.2",
        "3.3",
        "3.4",
        "3.4.1",
        "3.4.2",
        "3.4.3",
        "3.4.4",
        "3.5",
        "3.5.1",
        "3.5.2",
        "3.6",
        "3.7",
        "3.7.1",
        "3.8",
        "3.8.1",
        "30.0.0",
        "30.1.0",
        "30.2.0",
        "30.2.1",
        "30.3.0",
        "30.4.0",
        "31.0.0",
        "31.0.1",
        "32.0.0",
        "32.1.0",
        "32.1.1",
        "32.1.2",
        "32.1.3",
        "32.2.0",
        "32.3.0",
        "32.3.1",
        "33.1.0",
        "33.1.1",
        "34.0.0",
        "34.0.1",
        "34.0.2",
        "34.0.3",
        "34.1.0",
        "34.1.1",
        "34.2.0",
        "34.3.0",
        "34.3.1",
        "34.3.2",
        "34.3.3",
        "34.4.0",
        "34.4.1",
        "35.0.0",
        "35.0.1",
        "35.0.2",
        "36.0.1",
        "36.1.0",
        "36.1.1",
        "36.2.0",
        "36.2.1",
        "36.2.2",
        "36.2.3",
        "36.2.4",
        "36.2.5",
        "36.2.6",
        "36.2.7",
        "36.3.0",
        "36.4.0",
        "36.5.0",
        "36.6.0",
        "36.6.1",
        "36.7.0",
        "36.7.1",
        "36.7.2",
        "36.8.0",
        "37.0.0",
        "38.0.0",
        "38.1.0",
        "38.2.0",
        "38.2.1",
        "38.2.3",
        "38.2.4",
        "38.2.5",
        "38.3.0",
        "38.4.0",
        "38.4.1",
        "38.5.0",
        "38.5.1",
        "38.5.2",
        "38.6.0",
        "38.6.1",
        "38.7.0",
        "39.0.0",
        "39.0.1",
        "39.1.0",
        "39.2.0",
        "4.0",
        "4.0.1",
        "40.0.0",
        "40.1.0",
        "40.1.1",
        "40.2.0",
        "40.3.0",
        "40.4.0",
        "40.4.1",
        "40.4.2",
        "40.4.3",
        "40.5.0",
        "40.6.0",
        "40.6.1",
        "40.6.2",
        "40.6.3",
        "40.7.0",
        "40.7.1",
        "40.7.2",
        "40.7.3",
        "40.8.0",
        "40.9.0",
        "41.0.0",
        "41.0.1",
        "41.1.0",
        "41.2.0",
        "41.3.0",
        "41.4.0",
        "41.5.0",
        "41.5.1",
        "41.6.0",
        "42.0.0",
        "42.0.1",
        "42.0.2",
        "43.0.0",
        "44.0.0",
        "44.1.0",
        "44.1.1",
        "45.0.0",
        "45.1.0",
        "45.2.0",
        "45.3.0",
        "46.0.0",
        "46.1.0",
        "46.1.1",
        "46.1.2",
        "46.1.3",
        "46.2.0",
        "46.3.0",
        "46.3.1",
        "46.4.0",
        "47.0.0",
        "47.1.0",
        "47.1.1",
        "47.2.0",
        "47.3.0",
        "47.3.1",
        "47.3.2",
        "48.0.0",
        "49.0.0",
        "49.0.1",
        "49.1.0",
        "49.1.1",
        "49.1.2",
        "49.1.3",
        "49.2.0",
        "49.2.1",
        "49.3.0",
        "49.3.1",
        "49.3.2",
        "49.4.0",
        "49.5.0",
        "49.6.0",
        "5.0",
        "5.0.1",
        "5.0.2",
        "5.1",
        "5.2",
        "5.3",
        "5.4",
        "5.4.1",
        "5.4.2",
        "5.5",
        "5.5.1",
        "5.6",
        "5.7",
        "5.8",
        "50.0.0",
        "50.0.1",
        "50.0.2",
        "50.0.3",
        "50.1.0",
        "50.2.0",
        "50.3.0",
        "50.3.1",
        "50.3.2",
        "51.0.0",
        "51.1.0",
        "51.1.0.post20201221",
        "51.1.1",
        "51.1.2",
        "51.2.0",
        "51.3.0",
        "51.3.1",
        "51.3.2",
        "51.3.3",
        "52.0.0",
        "53.0.0",
        "53.1.0",
        "54.0.0",
        "54.1.0",
        "54.1.1",
        "54.1.2",
        "54.1.3",
        "54.2.0",
        "56.0.0",
        "56.1.0",
        "56.2.0",
        "57.0.0",
        "57.1.0",
        "57.2.0",
        "57.3.0",
        "57.4.0",
        "57.5.0",
        "58.0.0",
        "58.0.1",
        "58.0.2",
        "58.0.3",
        "58.0.4",
        "58.1.0",
        "58.2.0",
        "58.3.0",
        "58.4.0",
        "58.5.0",
        "58.5.1",
        "58.5.2",
        "58.5.3",
        "59.0.1",
        "59.1.0",
        "59.1.1",
        "59.2.0",
        "59.3.0",
        "59.4.0",
        "59.5.0",
        "59.6.0",
        "59.7.0",
        "59.8.0",
        "6.0.1",
        "6.0.2",
        "6.1",
        "60.0.0",
        "60.0.1",
        "60.0.2",
        "60.0.3",
        "60.0.4",
        "60.0.5",
        "60.1.0",
        "60.1.1",
        "60.10.0",
        "60.2.0",
        "60.3.0",
        "60.3.1",
        "60.4.0",
        "60.5.0",
        "60.6.0",
        "60.7.0",
        "60.7.1",
        "60.8.0",
        "60.8.1",
        "60.8.2",
        "60.9.0",
        "60.9.1",
        "60.9.2",
        "60.9.3",
        "61.0.0",
        "61.1.0",
        "61.1.1",
        "61.2.0",
        "61.3.0",
        "61.3.1",
        "62.0.0",
        "62.1.0",
        "62.2.0",
        "62.3.0",
        "62.3.1",
        "62.3.2",
        "62.3.3",
        "62.3.4",
        "62.4.0",
        "62.5.0",
        "62.6.0",
        "63.0.0",
        "63.0.0b1",
        "63.1.0",
        "63.2.0",
        "63.3.0",
        "63.4.0",
        "63.4.1",
        "63.4.2",
        "63.4.3",
        "64.0.0",
        "64.0.1",
        "64.0.2",
        "64.0.3",
        "65.0.0",
        "65.0.1",
        "65.0.2",
        "65.1.0",
        "65.1.1",
        "65.2.0",
        "65.3.0",
        "65.4.0",
        "65.4.1",
        "65.5.0",
        "7.0",
        "8.0",
        "8.0.1",
        "8.0.2",
        "8.0.3",
        "8.0.4",
        "8.1",
        "8.2",
        "8.2.1",
        "8.3",
        "9.0",
        "9.0.1",
        "9.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2022-40897"
  ],
  "details": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.",
  "id": "PYSEC-2022-43012",
  "modified": "2023-05-04T04:29:29.797493Z",
  "published": "2022-12-23T00:15:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200"
    },
    {
      "type": "WEB",
      "url": "https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1"
    },
    {
      "type": "FIX",
      "url": "https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be"
    },
    {
      "type": "WEB",
      "url": "https://pyup.io/vulnerabilities/CVE-2022-40897/52495/"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.