ALT-PU-2024-15879-3 — python3-module-setuptools

BDU:2023-02445

MEDIUM5.9

Уязвимость инструментов установки пакетов Python Packaging Authority, связанная с некорректным регулярным выражением, позволяющая нарушителю вызывать отказ в обслуживании

Published: 2023-05-10Modified: 2026-02-10

CVSS 3.xMEDIUM 5.9

CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0MEDIUM 5.4

CVSS:2.0/AV:N/AC:H/Au:N/C:N/I:N/A:C

References

CVE-2022-40897

BDU:2024-05843

HIGH8.8

Уязвимость модуля package_index библиотеки упрощения упаковки проектов setuptools, связанная с неправильным контролем генерации кода, позволяющая нарушителю выполнять произвольные команды в системе

Published: 2024-07-31Modified: 2026-02-10

CVSS 3.xHIGH 8.8

CVSS:3.x/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 2.0CRITICAL 10.0

CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C

References

CVE-2024-6345

CVE-2022-40897

MEDIUM5.9

Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.

Published: 2022-12-23Modified: 2025-11-04

CVSS 3.xMEDIUM 5.9

CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

CVE-2024-6345

HIGH8.8

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

Published: 2024-07-15Modified: 2026-04-15

CVSS 3.xHIGH 8.8

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

GHSA-cx63-2mw6-8hw5

HIGH7.5

setuptools vulnerable to Command Injection via package URL

Published: 2024-07-15Modified: 2025-11-04

CVSS 3.xHIGH 7.5

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS 4.0HIGH 7.5

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

GHSA-r9hx-vwmv-q579

HIGH8.7

pypa/setuptools vulnerable to Regular Expression Denial of Service (ReDoS)

Published: 2022-12-23Modified: 2025-11-04

CVSS 3.xHIGH 8.7

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS 4.0HIGH 8.7

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

References

Package update python3-module-setuptools in branch p10

Closed issues (6)

Уязвимость инструментов установки пакетов Python Packaging Authority, связанная с некорректным регулярным выражением, позволяющая нарушителю вызывать отказ в обслуживании

Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.

setuptools vulnerable to Command Injection via package URL

pypa/setuptools vulnerable to Regular Expression Denial of Service (ReDoS)