CVE-2022-40898 — Improper Input Validation in Project Wheel

CWE-20 — Improper Input Validation CWE-400 — Uncontrolled Resource Consumption CWE-1333 — Regex Denial of Service10 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 62.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Wheel Project Wheel Debian Wheel Msrc Azl3 Mozjs 102.15.1-1 ON Azure Linux 3.0 +6 more

Timeline

PublishedDec 23

Latest updateFeb 28

Description

An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages11 packages

▶msrcmsrc/azl3_python-wheel_0.33.6-7_on_azure_linux_3.0

▶msrcmsrc/azl3_python-wheel_0.43.0-1_on_azure_linux_3.0

▶debiandebian/wheel< wheel 0.38.0-1 (bookworm)

▶NVDwheel_project/wheel< 0.38.1

▶PyPIwheel_project/wheel< 0.38.1

🔴Vulnerability Details

OSV

pypa/wheel vulnerable to Regular Expression denial of service (ReDoS)↗2022-12-23

▶

OSV

CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0↗2022-12-23

▶

GHSA

pypa/wheel vulnerable to Regular Expression denial of service (ReDoS)↗2022-12-23

▶

📋Vendor Advisories

Ubuntu

pip regression↗2023-02-28

▶

Ubuntu

wheel vulnerability↗2023-01-24

▶

Ubuntu

wheel vulnerability↗2023-01-24

▶

Red Hat

python-wheel: remote attackers can cause denial of service via attacker controlled input to wheel cli↗2022-12-21

▶

Microsoft

An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.↗2022-12-13

▶