Vulnerability DatabaseCVE-2022-40897
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2022-40897
December 22, 2022
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
Affected Packages
setuptools (PYTHON):
Affected version(s) >=0.6b1 <65.5.1
Fix Suggestion:
Update to version 65.5.1
Related Resources (24)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R
https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1
https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/
https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200
https://pyup.io/vulnerabilities/CVE-2022-40897/52495
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R
https://access.redhat.com/security/cve/CVE-2022-40897
https://security.netapp.com/advisory/ntap-20240621-0006/
https://lists.debian.org/debian-lts-announce/2024/09/msg00018.html
https://github.com/pypa/setuptools/issues/3659
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H
https://github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2022-43012.yaml
https://security.netapp.com/advisory/ntap-20230214-0001
https://github.com/pypa/setuptools
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H
https://setuptools.pypa.io/en/latest
https://security.netapp.com/advisory/ntap-20230214-0001/
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
https://nvd.nist.gov/vuln/detail/CVE-2022-40897
https://pyup.io/vulnerabilities/CVE-2022-40897/52495/
https://security.netapp.com/advisory/ntap-20240621-0006
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.2
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Inefficient Regular Expression Complexity
CWE-1333
EPSS
Base Score:
0.52