CVE-2022-42969
Regular expression Denial of Service (ReDoS) vulnerability in py (PyPI)
What is CVE-2022-42969 About?
This withdrawn advisory described a Regular expression Denial of Service (ReDoS) vulnerability in the `py` library through 1.11.0 for Python, specifically when processing crafted Subversion repository info data. Although withdrawn, the initial assessment suggested it could lead to denial of service, with exploitation being dependent on the specific use of the library with Subversion. The pytest project, which previously used `py`, removed its dependency, mitigating its impact for pytest users.
Affected Software
Technical Details
The vulnerability, specific to the py library (py._path.svnurl.InfoSvnCommand.lspattern) in versions up to 1.11.0, was a Regular expression Denial of Service (ReDoS) attack vector. It occurred when the regular expression used to parse Subversion repository info data (InfoSvnCommand) was presented with specially crafted input. Such input could cause the regex engine to backtrack excessively, consuming significant CPU resources and leading to a Denial of Service condition on systems processing this data. This path was only relevant for applications dealing with Subversion (svn) projects.
What is the Impact of CVE-2022-42969?
Successful exploitation may allow attackers to cause applications to consume excessive processing power, leading to a Denial of Service.
What is the Exploitability of CVE-2022-42969?
Based on the original description, exploitation would involve providing crafted Subversion repository info data to an application utilizing the vulnerable py library. This suggests an attacker would need either local access to provide such data or remote access to a system that processes external Subversion repository information. The complexity could range from moderate to high, depending on the attacker's ability to inject crafted data into the Subversion repository or the processing pipeline. There are no explicit authentication or privilege requirements mentioned, though the ability to interact with a Subversion repository indicates some level of access. The primary risk factor is the application processing untrusted or malicious Subversion data with the vulnerable py library.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-42969?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pytest-dev/py/issues/287
- https://github.com/pytest-dev/py/blob/cb87a83960523a2367d0f19226a73aed4ce4291d/py/_path/svnurl.py#L316
- https://nvd.nist.gov/vuln/detail/CVE-2022-42969
- https://osv.dev/vulnerability/PYSEC-2022-42969
- https://github.com/pytest-dev/py/issues/288
- https://news.ycombinator.com/item?id=34163710
- https://github.com/pytest-dev/py/issues/288
- https://nvd.nist.gov/vuln/detail/CVE-2022-42969
- https://github.com/advisories/GHSA-w596-4wvx-j9j6
- https://github.com/pytest-dev/py/blob/cb87a83960523a2367d0f19226a73aed4ce4291d/py/_path/svnurl.py#L316
What are Similar Vulnerabilities to CVE-2022-42969?
Similar Vulnerabilities: CVE-2023-48633 , CVE-2023-28155 , CVE-2022-31089 , CVE-2022-25916 , CVE-2022-24990
