7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.003 Low
EPSS
Percentile
68.2%
An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and
earlier allows remote attackers to cause a denial of service via attacker
controlled input to wheel cli.
Author | Note |
---|---|
mdeslaur | the python-pip package bundles wheel binaries when built. After updating wheel, a no-change rebuild of python-pip is required. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | python-pip | < 9.0.1-2.3~ubuntu1.18.04.7 | UNKNOWN |
ubuntu | 20.04 | noarch | python-pip | < 20.0.2-5ubuntu1.8 | UNKNOWN |
ubuntu | 22.04 | noarch | python-pip | < 22.0.2+dfsg-1ubuntu0.2 | UNKNOWN |
ubuntu | 22.10 | noarch | python-pip | < 22.2+dfsg-1ubuntu0.2 | UNKNOWN |
ubuntu | 14.04 | noarch | python-pip | < 1.5.4-1ubuntu4+esm3 | UNKNOWN |
ubuntu | 16.04 | noarch | python-pip | < 8.1.1-2ubuntu0.6+esm4 | UNKNOWN |
ubuntu | 18.04 | noarch | wheel | < 0.30.0-0.2ubuntu0.1 | UNKNOWN |
ubuntu | 20.04 | noarch | wheel | < 0.34.2-1ubuntu0.1 | UNKNOWN |
ubuntu | 22.04 | noarch | wheel | < 0.37.1-2ubuntu0.22.04.1 | UNKNOWN |
ubuntu | 22.10 | noarch | wheel | < 0.37.1-2ubuntu0.22.10.1 | UNKNOWN |
github.com/pypa/wheel/blob/main/src/wheel/wheelfile.py#L18
github.com/pypa/wheel/commit/88f02bc335d5404991e532e7f3b0fc80437bf4e0
launchpad.net/bugs/cve/CVE-2022-40898
nvd.nist.gov/vuln/detail/CVE-2022-40898
pypi.org/project/wheel/
pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
security-tracker.debian.org/tracker/CVE-2022-40898
ubuntu.com/security/notices/USN-5821-1
ubuntu.com/security/notices/USN-5821-2
www.cve.org/CVERecord?id=CVE-2022-40898