CVE-2022-40897
Denial of Service vulnerability in setuptools
What is CVE-2022-40897 About?
This vulnerability is a Denial of Service (DoS) in PyPA's setuptools, specifically affecting versions 65.5.0 and earlier, due to a vulnerable regular expression in `package_index`. Remote attackers can cause a denial of service by providing malicious HTML from a PyPI package or custom PackageIndex page. It can be exploited with crafted malicious input causing resource exhaustion.
Affected Software
- setuptools
- <43a9c9bfa6aa626ec2a22540bea28d2ca77964be
- <65.5.1
Technical Details
The vulnerability exists within PyPA's setuptools, specifically in the `package_index` component, which utilizes a regular expression for parsing HTML from PyPI or custom PackageIndex pages. An insecure regular expression is susceptible to catastrophic backtracking when processing specially crafted malicious HTML input. This causes the regex engine to consume excessive CPU cycles and memory resources, leading to resource exhaustion and ultimately a denial of service for any application attempting to parse such input using the vulnerable setuptools version.
What is the Impact of CVE-2022-40897?
Successful exploitation may allow attackers to cause the system to become unresponsive, leading to an application crash or service outage.
What is the Exploitability of CVE-2022-40897?
Exploitation requires a remote attacker to provide malicious HTML content, typically through a PyPI package or a custom PackageIndex page, which is then fetched and parsed by Python Packaging Authority (PyPA)'s setuptools. The complexity is moderate, involving the construction of a specific HTML payload that triggers the vulnerable regular expression. No authentication is needed for the initial delivery of the malicious content, as it relies on the setuptools fetching and parsing external data. The risk of exploitation increases if the system frequently retrieves packages from untrusted sources or mirrors. This is a remote exploitation scenario.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-40897?
Available Upgrade Options
- setuptools
- <65.5.1 → Upgrade to 65.5.1
- setuptools
- <43a9c9bfa6aa626ec2a22540bea28d2ca77964be → Upgrade to 43a9c9bfa6aa626ec2a22540bea28d2ca77964be
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20240621-0006
- https://security.netapp.com/advisory/ntap-20230214-0001/
- https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/
- https://github.com/pypa/setuptools/issues/3659
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/
- https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H
- https://pyup.io/vulnerabilities/CVE-2022-40897/52495/
- https://github.com/pypa/setuptools
- https://security.netapp.com/advisory/ntap-20240621-0006/
What are Similar Vulnerabilities to CVE-2022-40897?
Similar Vulnerabilities: CVE-2023-26116 , CVE-2021-4202 , CVE-2020-15167 , CVE-2021-3807 , CVE-2021-32640
