5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:N/I:N/A:P
0.005 Low
EPSS
Percentile
75.0%
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote
attackers to cause a denial of service via HTML in a crafted package or
custom PackageIndex page. There is a Regular Expression Denial of Service
(ReDoS) in package_index.py.
Author | Note |
---|---|
mdeslaur | the python-pip package bundles python-setuptools binaries when built. After updating python-setuptools, a no-change rebuild of python-pip is required. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | python-pip | < 9.0.1-2.3~ubuntu1.18.04.6 | UNKNOWN |
ubuntu | 20.04 | noarch | python-pip | < 20.0.2-5ubuntu1.7 | UNKNOWN |
ubuntu | 22.04 | noarch | python-pip | < 22.0.2+dfsg-1ubuntu0.1 | UNKNOWN |
ubuntu | 22.10 | noarch | python-pip | < 22.2+dfsg-1ubuntu0.1 | UNKNOWN |
ubuntu | 14.04 | noarch | python-pip | < 1.5.4-1ubuntu4+esm2) Available with Ubuntu Pro or Ubuntu Pro (Infra-only | UNKNOWN |
ubuntu | 16.04 | noarch | python-pip | < 8.1.1-2ubuntu0.6+esm3 | UNKNOWN |
ubuntu | 18.04 | noarch | python-setuptools | < 39.0.1-2ubuntu0.1 | UNKNOWN |
ubuntu | 20.04 | noarch | python-setuptools | < 44.0.0-2ubuntu0.1 | UNKNOWN |
ubuntu | 22.04 | noarch | python-setuptools | < 44.1.1-1.2ubuntu0.22.04.1 | UNKNOWN |
ubuntu | 22.10 | noarch | python-setuptools | < 44.1.1-1.2ubuntu0.22.10.1 | UNKNOWN |
github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200
github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
launchpad.net/bugs/cve/CVE-2022-40897
nvd.nist.gov/vuln/detail/CVE-2022-40897
pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
security-tracker.debian.org/tracker/CVE-2022-40897
ubuntu.com/security/notices/USN-5817-1
www.cve.org/CVERecord?id=CVE-2022-40897
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:N/I:N/A:P
0.005 Low
EPSS
Percentile
75.0%