PT-2022-6567 · Python Packaging Authority+10 · Setuptools+10
Jaraco
·
Published
2022-11-16
·
Updated
2026-05-04
·
CVE-2022-40897
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N |
Name of the Vulnerable Software and Affected Versions
Python Packaging Authority (PyPA) setuptools versions 65.3.0 through 65.5.0
Description
The issue is related to insufficient input validation when processing HTML content, allowing remote attackers to cause a denial of service via crafted HTML in a package or custom PackageIndex page. This is due to a Regular Expression Denial of Service (ReDoS) in package index.py. The vulnerability can be exploited by sending specially crafted data to the application, resulting in a denial of service attack.
Recommendations
For versions 65.3.0 through 65.5.0, update to version 65.5.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the
package index module to minimize the risk of exploitation. Avoid using the vulnerable Regular Expression in the package index.py file until the issue is resolved.Exploit
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Setuptools