CVE-2022-40897 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADP	ADP	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 66%

Affected Products (NVD)

Vendor	Product	Version
python	setuptools	𝑥 < 65.5.1

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

setuptools

bookworm	66.1.1-1 fixed
bullseye	vulnerable
bullseye (security)	52.0.0-4+deb11u1 fixed
sid	75.2.0-1 fixed
trixie	74.1.2-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

python-pip

bionic	Fixed 9.0.1-2.3~ubuntu1.18.04.6 released
focal	Fixed 20.0.2-5ubuntu1.7 released
jammy	Fixed 22.0.2+dfsg-1ubuntu0.1 released
kinetic	Fixed 22.2+dfsg-1ubuntu0.1 released
lunar	not-affected
trusty	Fixed 1.5.4-1ubuntu4+esm2 released
xenial	Fixed 8.1.1-2ubuntu0.6+esm3 released

python-setuptools

bionic	Fixed 39.0.1-2ubuntu0.1 released
focal	Fixed 44.0.0-2ubuntu0.1 released
jammy	Fixed 44.1.1-1.2ubuntu0.22.04.1 released
kinetic	Fixed 44.1.1-1.2ubuntu0.22.10.1 released
trusty	Fixed 3.3-1ubuntu2+esm1 released
xenial	Fixed 20.7.0-1ubuntu0.1~esm1 released

setuptools

bionic	dne
focal	Fixed 45.2.0-1ubuntu0.1 released
jammy	Fixed 59.6.0-1.2ubuntu0.22.04.1 released
kinetic	Fixed 59.6.0-1.2ubuntu0.22.10.1 released
lunar	not-affected
trusty	dne
xenial	dne

Known Exploits!

Common Weakness Enumeration

CWE-1333 - Inefficient Regular Expression Complexity
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

References

https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200

https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be

https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/

https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

https://pyup.io/vulnerabilities/CVE-2022-40897/52495/

https://security.netapp.com/advisory/ntap-20230214-0001/

https://security.netapp.com/advisory/ntap-20240621-0006/

https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200

https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be

https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1

https://lists.debian.org/debian-lts-announce/2024/09/msg00018.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/

https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

https://pyup.io/vulnerabilities/CVE-2022-40897/52495/

https://security.netapp.com/advisory/ntap-20230214-0001/

https://security.netapp.com/advisory/ntap-20240621-0006/