CVE-2022-40897 – pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py
https://notcve.org/view.php?id=CVE-2022-40897
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. Las herramientas de configuración Python Packaging Authority (PyPA) anteriores a 65.5.1 permiten a atacantes remotos provocar una Denegación de Servicio (DoS) a través de HTML en un paquete manipulado o en una página PackageIndex personalizada. Hay una Denegación de Servicio (DoS) de expresión regular (ReDoS) en package_index.py. A flaw was found in Python Setuptools due to a regular expression Denial of Service (ReDoS) present in package_index.py. • https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200 https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H https://pyup.io/posts/pyup-discovers- • CWE-185: Incorrect Regular Expression CWE-1333: Inefficient Regular Expression Complexity •
CVE-2013-1633
https://notcve.org/view.php?id=CVE-2013-1633
easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product. easy_install en setuptools anterior a v0.7 utiliza HTTP para recuperar paquetes del repositorio PyPI, y no realiza comprobaciones de integridad en el contenido del paquete, que permite a atacantes man-in-the-middle ejecutar código arbitrario a través de una respuesta diseñada para el uso por defecto del producto. • http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a https://pypi.python.org/pypi/setuptools/0.9.8#changes • CWE-20: Improper Input Validation •