Lucene search

GitHub Advisory DatabaseGHSA-R9HX-VWMV-Q579

HistoryDec 23, 2022 - 12:30 a.m.

pypa/setuptools vulnerable to Regular Expression Denial of Service (ReDoS)

2022-12-2300:30:23

CWE-1333

GitHub Advisory Database

github.com

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:N/I:N/A:P

0.005 Low

EPSS

Percentile

75.2%

JSON

Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects. Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index. This has been patched in version 65.5.1.

CPENameOperatorVersion
setuptoolslt65.5.1

CPE	Name	Operator	Version
	setuptools	lt	65.5.1

References

github.com/advisories/GHSA-r9hx-vwmv-q579

github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200

github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be

github.com/pypa/setuptools/compare/v65.5.0...v65.5.1

github.com/pypa/setuptools/issues/3659

lists.fedoraproject.org/archives/list/[email protected]/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/

lists.fedoraproject.org/archives/list/[email protected]/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/

nvd.nist.gov/vuln/detail/CVE-2022-40897

pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

pyup.io/vulnerabilities/CVE-2022-40897/52495/

security.netapp.com/advisory/ntap-20230214-0001/

setuptools.pypa.io/en/latest/

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:N/I:N/A:P

0.005 Low

EPSS

Percentile

75.2%

JSON

Related for GHSA-R9HX-VWMV-Q579