CVE-2022-40897
CVSS V2 None
CVSS V3 None
Description
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
Overview
- CVE ID
- CVE-2022-40897
- Assigner
- cve@mitre.org
- Vulnerability Status
- Modified
- Published Version
- 2022-12-23T00:15:13
- Last Modified Date
- 2023-04-30T04:15:30
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:python:setuptools:*:*:*:*:*:*:*:* | 1 | OR | 65.5.1 |
References
| Reference URL | Reference Tags |
|---|---|
| https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200 | Third Party Advisory |
| https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be | Patch Third Party Advisory |
| https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1 | Release Notes Third Party Advisory |
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/ | |
| https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/ | Exploit Patch Technical Description Vendor Advisory |
| https://pyup.io/vulnerabilities/CVE-2022-40897/52495/ | Third Party Advisory |
| https://security.netapp.com/advisory/ntap-20230214-0001/ |
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-40897 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-12-23 00:17:58 | Added to TrackCVE | |||
| 2022-12-23 04:15:36 | 2022-12-23T03:31:02 | CVE Modified Date | updated | |
| 2022-12-23 04:15:36 | Received | Awaiting Analysis | Vulnerability Status | updated |
| 2022-12-27 08:16:57 | 2022-12-27T08:15:10 | CVE Modified Date | updated | |
| 2022-12-27 08:16:57 | An issue discovered in Python Packaging Authority (PyPA) setuptools 65.3.0 and earlier allows remote attackers to cause a denial of service via crafted HTML package or custom PackageIndex page. | Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. | Description | updated |
| 2022-12-27 08:16:58 | References | updated | ||
| 2022-12-28 20:14:46 | Awaiting Analysis | Undergoing Analysis | Vulnerability Status | updated |
| 2022-12-30 22:15:28 | 2022-12-30T21:45:02 | CVE Modified Date | updated | |
| 2022-12-30 22:15:28 | Undergoing Analysis | Analyzed | Vulnerability Status | updated |
| 2022-12-30 22:15:29 | Weakness Enumeration | new | ||
| 2022-12-30 22:15:31 | CPE Information | updated | ||
| 2023-01-06 18:21:54 | Analyzed | Undergoing Analysis | Vulnerability Status | updated |
| 2023-01-06 19:16:07 | 2023-01-06T18:34:41 | CVE Modified Date | updated | |
| 2023-01-06 19:16:07 | Undergoing Analysis | Analyzed | Vulnerability Status | updated |
| 2023-02-14 15:16:08 | 2023-02-14T13:15:12 | CVE Modified Date | updated | |
| 2023-02-14 15:16:08 | Analyzed | Modified | Vulnerability Status | updated |
| 2023-02-14 15:16:09 | References | updated | ||
| 2023-04-30 05:02:44 | 2023-04-30T04:15:30 | CVE Modified Date | updated | |
| 2023-04-30 05:02:45 | References | updated |