CVE-2022-40897Regex Denial of Service in Setuptools

CWE-1333Regex Denial of ServiceCWE-185Incorrect Regular Expression10 documents9 sources
Severity
5.9MEDIUMNVD
EPSS
0.5%
top 33.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Python SetuptoolsDebian SetuptoolsPaloalto Pan-os+6 more
Timeline
PublishedDec 23
Latest updateFeb 14

Description

Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages11 packages

NVDpython/setuptools< 65.5.1
PyPIpython/setuptools< 65.5.1
Debianpython/setuptools< 52.0.0-4+deb11u1+3
debiandebian/setuptools< setuptools 65.6.3-1 (bookworm)

Patches

Patch: github.comPatch: pyup.ioPatch: github.com

🔴Vulnerability Details

3
OSV
pypa/setuptools vulnerable to Regular Expression Denial of Service (ReDoS)2022-12-23
OSV
CVE-2022-40897: Python Packaging Authority (PyPA) setuptools before 652022-12-23
GHSA
pypa/setuptools vulnerable to Regular Expression Denial of Service (ReDoS)2022-12-23

📋Vendor Advisories

6
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS2024-02-14
Oracle
Oracle Oracle PeopleSoft Risk Matrix: Porting (Python setuptools) — CVE-2022-408972023-07-15
Ubuntu
Setuptools vulnerability2023-01-23
Red Hat
pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py2022-12-22
Microsoft
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression2022-12-13
CVE-2022-40897 — Regex Denial of Service in Python | cvebase