CVE-2022-40897
CVE-2022-40897
In short
A flaw in setuptools allows attackers to crash the package installation process by creating specially crafted HTML content. When processing package information, a vulnerable regular expression consumes excessive resources and freezes the system.
Technical detail
A ReDoS vulnerability in setuptools' package_index.py allows remote attackers to trigger denial of service by serving malicious HTML in crafted package metadata or custom PackageIndex pages. The vulnerable regex pattern causes exponential backtracking when processing adversarial input, impacting availability during package installation or index queries.
Summary generated and translated by AI from the official description.
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
n/a · n/aWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964behttps://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1https://lists.debian.org/debian-lts-announce/2024/09/msg00018.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/https://pyup.io/vulnerabilities/CVE-2022-40897/52495/https://security.netapp.com/advisory/ntap-20230214-0001/https://security.netapp.com/advisory/ntap-20240621-0006/