Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2022-40897

Published: 23 December 2022

Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.

Notes

AuthorNote
mdeslaur
the python-pip package bundles python-setuptools binaries
when built. After updating python-setuptools, a no-change
rebuild of python-pip is required.

Priority

Medium

Cvss 3 Severity Score

5.9

Score breakdown

Status

Package Release Status
python-pip
Launchpad, Ubuntu, Debian
bionic
Released (9.0.1-2.3~ubuntu1.18.04.6)
focal
Released (20.0.2-5ubuntu1.7)
jammy
Released (22.0.2+dfsg-1ubuntu0.1)
kinetic
Released (22.2+dfsg-1ubuntu0.1)
lunar Needed

trusty
Released (1.5.4-1ubuntu4+esm2)
upstream Needed

xenial
Released (8.1.1-2ubuntu0.6+esm3)
python-setuptools
Launchpad, Ubuntu, Debian
bionic
Released (39.0.1-2ubuntu0.1)
focal
Released (44.0.0-2ubuntu0.1)
jammy
Released (44.1.1-1.2ubuntu0.22.04.1)
kinetic
Released (44.1.1-1.2ubuntu0.22.10.1)
trusty
Released (3.3-1ubuntu2+esm1)
upstream
Released (65.5.1)
xenial
Released (20.7.0-1ubuntu0.1~esm1)
setuptools
Launchpad, Ubuntu, Debian
bionic Does not exist

focal
Released (45.2.0-1ubuntu0.1)
jammy
Released (59.6.0-1.2ubuntu0.22.04.1)
kinetic
Released (59.6.0-1.2ubuntu0.22.10.1)
lunar Pending
(66.1.1-1)
trusty Does not exist

upstream
Released (65.5.1)
xenial Does not exist

Severity score breakdown

Parameter Value
Base score 5.9
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H