Regular Expression Denial Of Service (ReDoS)

🗓️ 23 Dec 2022 08:31:40Reported by Veracode Vulnerability DatabaseType

veracode🔗 sca.analysiscenter.veracode.com👁 72 Views

setuptools vulnerability, insecure regex pattern in package_index.p

Reporter	Title	Published	Views	Family All 267
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - IoT uses multiple third party dependencies which is vulnerable to CVEs.	7 Apr 202519:17	–	ibm
IBM Security Bulletins	Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2022-40897]	25 Jul 202313:39	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Certifi, Setuptools and Python may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-23491, CVE-2022-40897, CVE-2022-45061)	1 Feb 202310:43	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Guardium Data Security Center is affected by multiple vulnerabilities	7 Mar 202515:14	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities exists in IBM Netezza Analytics - NPS Product	15 Jul 202515:44	–	ibm
IBM Security Bulletins	Security Bulletin: IBM SOAR QRadar Plugin App is vulnerable to using components with known vulnerabilities	27 Sep 202313:24	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Cloud Pak for Data Scheduling is vulnerable to python vulnerability ( CVE-2022-40897 )	6 Dec 202315:42	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Maximo Application Suite - Iot Component uses axios 1.7.9 and Python-3.8.17 which is vulnerable to CVE-2023-40217, CVE-2024-6232, CVE-2022-40897, CVE-2024-6345, CVE-2023-5752 and CVE-2025-27152	25 Jun 202508:00	–	ibm
IBM Security Bulletins	Security Bulletin: Maximo Application Suite is vulnerable to CVE-2022-40897 per setuptools dependency	27 Mar 202320:03	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Pypa Setuptools, Golang Go, OpenSSH, Minio and Certifi may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift	26 Mar 202503:37	–	ibm

Vulners

Node

google bionicMatch9.0.1-2.3~ubuntu1.18.04.2debian

AND

google bionicMatch9.0.1-2.3~ubuntu1.18.04.4debian

AND

google bionicMatch9.0.1-2.3~ubuntu1.18.04.5debian

AND

google bionicMatch9.0.1-2debian

AND

debian debian_linux

python setuptoolsRange0.6b1–65.5.0python

python-setuptools python-setuptoolsMatch17.1.1_3.el7aos

python-setuptools python-setuptoolsMatch17.1.1_3.el7

python-setuptools python-setuptoolsMatch0.6.10_4.el6_9

python-setuptools python-setuptoolsMatch0.6.10_3.el6

python-setuptools python-setuptoolsMatch17.1.1_4.el7

Source	Link
github	www.github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py
github	www.github.com/pypa/setuptools/issues/3659
github	www.github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
pyup	www.pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages
lists	www.lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/
lists	www.lists.fedoraproject.org/archives/list/[email protected]/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/
lists	www.lists.fedoraproject.org/archives/list/[email protected]/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/
lists	www.lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/
github	www.github.com/pypa/setuptools/compare/v65.5.0...v65.5.1
pyup	www.pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

21 Jun 2024 20:34Current

6Medium risk

Vulners AI Score6

CVSS 3.15.9

EPSS0.00513

SSVC