CVE-2022-42969

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions py versions through 1.11.0

Description The py library allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. This issue is related to the regular expression at py. path.svnurl.InfoSvnCommand.lspattern and is only relevant when dealing with subversion (svn) projects. Note that this issue has been disputed by multiple third parties as not being reproduceable, and they argue this is not a valid vulnerability.

Recommendations For py versions through 1.11.0, consider updating to a version of a dependent package, such as pytest, that removes its dependency on the vulnerable py version, for example, updating to pytest version 7.2.0. At the moment, there is no information about a newer version of py that contains a fix for this issue.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1333

Related Identifiers

CVE-2022-42969

GHSA-W596-4WVX-J9J6

MGASA-2025-0289

OPENSUSE-SU-2023_0161-1

OPENSUSE-SU-2024:13211-1

PYSEC-2022-42969

PYSEC-2022-43183

SUSE-SU-2023:0161-1

SUSE-SU-2023:0395-1

SUSE-SU-2023:0681-1

SUSE-SU-2023_0161-1

SUSE-SU-2023_0395-1

SUSE-SU-2023_0681-1

Affected Products

Debian

Suse

Pytest

CVE-2022-42969

Weakness Enumeration

Related Identifiers

Affected Products

References · 38