CVE-2022-40897

Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CISA-ADPADP
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 54%
VendorProductVersion
pythonsetuptools
𝑥
< 65.5.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
setuptools
bullseye
vulnerable
bullseye (security)
52.0.0-4+deb11u1
fixed
bookworm
66.1.1-1
fixed
trixie
74.1.2-2
fixed
sid
75.2.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-pip
lunar
not-affected
kinetic
Fixed 22.2+dfsg-1ubuntu0.1
released
jammy
Fixed 22.0.2+dfsg-1ubuntu0.1
released
focal
Fixed 20.0.2-5ubuntu1.7
released
bionic
Fixed 9.0.1-2.3~ubuntu1.18.04.6
released
xenial
Fixed 8.1.1-2ubuntu0.6+esm3
released
trusty
Fixed 1.5.4-1ubuntu4+esm2
released
python-setuptools
kinetic
Fixed 44.1.1-1.2ubuntu0.22.10.1
released
jammy
Fixed 44.1.1-1.2ubuntu0.22.04.1
released
focal
Fixed 44.0.0-2ubuntu0.1
released
bionic
Fixed 39.0.1-2ubuntu0.1
released
xenial
Fixed 20.7.0-1ubuntu0.1~esm1
released
trusty
Fixed 3.3-1ubuntu2+esm1
released
setuptools
lunar
not-affected
kinetic
Fixed 59.6.0-1.2ubuntu0.22.10.1
released
jammy
Fixed 59.6.0-1.2ubuntu0.22.04.1
released
focal
Fixed 45.2.0-1ubuntu0.1
released
bionic
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200
https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
https://pyup.io/vulnerabilities/CVE-2022-40897/52495/
https://security.netapp.com/advisory/ntap-20230214-0001/
https://security.netapp.com/advisory/ntap-20240621-0006/
https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200
https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
https://pyup.io/vulnerabilities/CVE-2022-40897/52495/
https://security.netapp.com/advisory/ntap-20230214-0001/
https://security.netapp.com/advisory/ntap-20240621-0006/