CVE-2022-40897 – pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py
https://notcve.org/view.php?id=CVE-2022-40897
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. Las herramientas de configuración Python Packaging Authority (PyPA) anteriores a 65.5.1 permiten a atacantes remotos provocar una Denegación de Servicio (DoS) a través de HTML en un paquete manipulado o en una página PackageIndex personalizada. Hay una Denegación de Servicio (DoS) de expresión regular (ReDoS) en package_index.py. A flaw was found in Python Setuptools due to a regular expression Denial of Service (ReDoS) present in package_index.py. • https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200 https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H https://pyup.io/posts/pyup-discovers- • CWE-185: Incorrect Regular Expression CWE-1333: Inefficient Regular Expression Complexity •
CVE-2022-45199
https://notcve.org/view.php?id=CVE-2022-45199
Pillow before 9.3.0 allows denial of service via SAMPLESPERPIXEL. Pillow anterior a 9.3.0 permite la denegación de servicio a través de SAMPLESPERPIXEL. • https://bugs.gentoo.org/878769 https://github.com/python-pillow/Pillow/commit/2444cddab2f83f28687c7c20871574acbb6dbcf3 https://github.com/python-pillow/Pillow/pull/6700 https://github.com/python-pillow/Pillow/releases/tag/9.3.0 https://security.gentoo.org/glsa/202211-10 • CWE-400: Uncontrolled Resource Consumption •
CVE-2022-45198
https://notcve.org/view.php?id=CVE-2022-45198
Pillow before 9.2.0 performs Improper Handling of Highly Compressed GIF Data (Data Amplification). Pillow anterior a 9.2.0 realiza un manejo inadecuado de datos GIF altamente comprimidos (amplificación de datos). • https://bugs.gentoo.org/855683 https://cwe.mitre.org/data/definitions/409.html https://github.com/python-pillow/Pillow/commit/11918eac0628ec8ac0812670d9838361ead2d6a4 https://github.com/python-pillow/Pillow/pull/6402 https://github.com/python-pillow/Pillow/releases/tag/9.2.0 https://security.gentoo.org/glsa/202211-10 •
CVE-2022-45061 – python: CPU denial of service via inefficient IDNA decoder
https://notcve.org/view.php?id=CVE-2022-45061
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16. • https://github.com/python/cpython/issues/98433 https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4WBZJNS • CWE-400: Uncontrolled Resource Consumption CWE-407: Inefficient Algorithmic Complexity •
CVE-2022-42966 – Exponential ReDoS in cleo leads to denial of service
https://notcve.org/view.php?id=CVE-2022-42966
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method Se puede activar un ReDoS exponencial (Denegación de Servicio (DoS) de expresión regular) en el paquete cleo PyPI, cuando un atacante puede proporcionar entradas arbitrarias al método Table.set_rows • https://research.jfrog.com/vulnerabilities/cleo-redos-xray-257186 • CWE-1333: Inefficient Regular Expression Complexity •