Vulnerability Details : CVE-2022-40897
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
Vulnerability category: Denial of service
Products affected by CVE-2022-40897
- cpe:2.3:a:python:setuptools:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-40897
0.65%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 79 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-40897
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
2.2
|
3.6
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2024-10-29 |
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2022-40897
-
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2022-40897
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/
[SECURITY] Fedora 37 Update: python-setuptools-62.6.0-3.fc37 - package-announce - Fedora Mailing-Lists
-
https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1
Comparing v65.5.0...v65.5.1 · pypa/setuptools · GitHubRelease Notes;Third Party Advisory
-
https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
Limit the amount of whitespace to search/backtrack. Fixes #3659. · pypa/setuptools@43a9c9b · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/
[SECURITY] Fedora 37 Update: python-setuptools-62.6.0-3.fc37 - package-announce - Fedora Mailing-Lists
-
https://security.netapp.com/advisory/ntap-20230214-0001/
CVE-2022-40897 Python Vulnerability in NetApp Products | NetApp Product Security
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/
[SECURITY] Fedora 36 Update: python-setuptools-59.6.0-4.fc36 - package-announce - Fedora Mailing-Lists
-
https://pyup.io/vulnerabilities/CVE-2022-40897/52495/
PyUp Vuln #52495Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20240621-0006/
February 2024 IBM Cognos Analytics Vulnerabilities in NetApp Products | NetApp Product Security
-
https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200
setuptools/package_index.py at fe8a98e696241487ba6ac9f91faa38ade939ec5d · pypa/setuptools · GitHubThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/
[SECURITY] Fedora 36 Update: python-setuptools-59.6.0-4.fc36 - package-announce - Fedora Mailing-Lists
-
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
PyUp Discovers ReDoS Vulnerabilities in Top Python PackagesExploit;Patch;Technical Description;Vendor Advisory
Jump to