CVE-2022-40897

Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.

References

Affected packages

Git / github.com/pypa/setuptools

Affected ranges

Type

GIT

Repo

https://github.com/pypa/setuptools

Events

Introduced

Fixed

a462cb5edb324dcc56f903524b742305e4087014

Fixed

43a9c9bfa6aa626ec2a22540bea28d2ca77964be

Database specific

{
    "source": [
        "CPE_FIELD",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:python:setuptools:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "65.5.1"
        }
    ]
}

Affected versions

v59.*

v59.8.0

v60.*

v60.0.0

v60.0.1

v60.0.2

v60.0.3

v60.0.4

v60.0.5

v60.1.0

v60.1.1

v60.10.0

v60.2.0

v60.3.0

v60.3.1

v60.4.0

v60.5.0

v60.5.1

v60.5.2

v60.5.3

v60.5.4

v60.6.0

v60.7.0

v60.7.1

v60.8.0

v60.8.1

v60.8.2

v60.9.0

v60.9.1

v60.9.2

v60.9.3

v61.*

v61.0.0

v61.1.0

v61.1.1

v61.2.0

v61.3.0

v61.3.1

v62.*

v62.0.0

v62.1.0

v62.2.0

v62.3.0

v62.3.1

v62.3.2

v62.3.3

v62.3.4

v62.4.0

v62.5.0

v62.6.0

v63.*

v63.0.0

v63.1.0

v63.2.0

v63.3.0

v63.4.0

v63.4.1

v63.4.2

v63.4.3

v64.*

v64.0.0

v64.0.1

v64.0.2

v64.0.3

v65.*

v65.0.0

v65.0.1

v65.0.2

v65.1.0

v65.1.1

v65.2.0

v65.3.0

v65.4.0

v65.4.1

v65.5.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-40897.json"