Remote Denial of Service in Setuptools by Python Packaging Authority
CVE-2022-40897

5.9MEDIUM

Key Information:

Vendor: Python
Status: Setuptools
Vendor: CVE Published:; 23 December 2022

Summary

A vulnerability exists in the setuptools package of the Python Packaging Authority that could allow remote attackers to induce a denial of service. This is achieved through the introduction of crafted HTML in a specially constructed package or custom PackageIndex page, which exploits a flaw in the regular expression implementation found within the package_index.py file. Attackers leveraging this weakness can effectively overwhelm the system, causing significant disruption.

References

https://github.com/pypa/setuptools/blob/fe8a98e696241487b...

https://pyup.io/posts/pyup-discovers-redos-vulnerabilitie...

https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 23, 2022
Vulnerability Reserved
Sep 19, 2022