CVE-2022-42969Regex Denial of Service in PY

CWE-1333Regex Denial of Service10 documents7 sources
Severity
7.5HIGHNVD
CNA5.3
EPSS
0.1%
top 67.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Pytest PY
Timeline
PublishedOct 16
Latest updateNov 4

Description

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. Note: This has been disputed by multiple third parties as not being reproduceable and they argue this is not a valid vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDpytest/py1.11.0
PyPIpytest/py1.11.0

🔴Vulnerability Details

6
OSV
CVE-2022-42969: The py library through 12022-11-04
OSV
CVE-2022-42969: The py library through 12022-10-16
GHSA
Withdrawn Advisory: ReDoS in py library when used with subversion2022-10-16
CVEList
CVE-2022-42969: The py library through 12022-10-16
OSV
CVE-2022-42969: ** DISPUTED ** The py library through 12022-10-16

📋Vendor Advisories

3
Red Hat
py: ReDoS in py library when used with subversion2022-10-16
Microsoft
The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSv2022-10-11
Debian
CVE-2022-42969: python-py - The py library through 1.11.0 for Python allows remote attackers to conduct a Re...2022
CVE-2022-42969 — Regex Denial of Service in Pytest PY | cvebase