Lucene search

K

FreeBSD24DA150A-33E0-4FEE-B4EE-2C6B377D3395

HistoryDec 23, 2022 - 12:00 a.m.

py39-setuptools58 -- denial of service vulnerability

2022-12-2300:00:00

vuxml.freebsd.org

16

python

packaging

authority

pypa

setuptools

version

65.5.0

remote

attackers

denial

service

vulnerability

html

pypi

packageindex

regular

expression

patch

backported

revision

58.5.3_3

unix

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

0.005 Low

EPSS

Percentile

77.5%

SCH227 reports:

Python Packaging Authority (PyPA)'s setuptools is a library designed to facilitate packaging Python projects.
Setuptools version 65.5.0 and earlier could allow remote attackers to cause a denial of service by fetching malicious HTML from a PyPI package or custom PackageIndex page due to a vulnerable Regular Expression in package_index.
This has been patched in version 65.5.1. The patch backported to the revision 58.5.3_3.

OSVersionArchitecturePackageVersionFilename
FreeBSDanynoarchpy39-setuptools58< 44.1.1_1UNKNOWN

References

osv.dev/vulnerability/GHSA-r9hx-vwmv-q579

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

0.005 Low

EPSS

Percentile

77.5%

Related for 24DA150A-33E0-4FEE-B4EE-2C6B377D3395