CVE-2022-40897

pypa-setuptools: Regular Expression Denial of Service (ReDoS) in package_index.py

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.

Las herramientas de configuración Python Packaging Authority (PyPA) anteriores a 65.5.1 permiten a atacantes remotos provocar una Denegación de Servicio (DoS) a través de HTML en un paquete manipulado o en una página PackageIndex personalizada. Hay una Denegación de Servicio (DoS) de expresión regular (ReDoS) en package_index.py.

A flaw was found in Python Setuptools due to a regular expression Denial of Service (ReDoS) present in package_index.py. This issue could allow a remote attacker to cause a denial of service via HTML in a crafted package or custom PackageIndex page.

Multicluster Engine for Kubernetes 2.1.6 images Multicluster engine for Kubernetes provides the foundational components that are necessary for the centralized management of multiple Kubernetes-based clusters across data centers, public clouds, and private clouds. You can use the engine to create new Red Hat OpenShift Container Platform clusters or to bring existing Kubernetes-based clusters under management by importing them. After the clusters are managed, you can use the APIs that are provided by the engine to distribute configuration based on placement policy. Issues addressed include a denial of service vulnerability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2022-09-19 CVE Reserved
2022-12-22 CVE Published
2024-10-29 CVE Updated
2024-10-29 First Exploit
2025-04-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-185: Incorrect Regular Expression
CWE-1333: Inefficient Regular Expression Complexity

CAPEC

References (11)

URL	Tag	Source
https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200	Third Party Advisory
https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1	Release Notes
https://pyup.io/vulnerabilities/CVE-2022-40897/52495	Third Party Advisory
https://security.netapp.com/advisory/ntap-20230214-0001
https://security.netapp.com/advisory/ntap-20240621-0006

URL	Date	SRC
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages	2024-10-29

URL	Date	SRC
https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be	2024-06-21

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R	2024-06-21
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H	2024-06-21
https://access.redhat.com/security/cve/CVE-2022-40897	2024-09-23
https://bugzilla.redhat.com/show_bug.cgi?id=2158559	2024-09-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python Search vendor "Python"		Setuptools Search vendor "Python" for product "Setuptools"				< 65.5.1 Search vendor "Python" for product "Setuptools" and version " < 65.5.1"		-		Affected