What is CVE-2022-40897?

CVE-2022-40897 is a medium-severity vulnerability in Python Packaging Authority (PyPA) setuptools. It allows remote attackers to cause a denial of service through crafted HTML content, resulting in a Regular Expression Denial of Service (ReDoS) in the package_index.py file. Systems using PyPA setuptools versions up to (excluding) 65.5.1 are affected, making it essential to update to a secure version.

Who is impacted by this?

CVE-2022-40897 affects users of Python Packaging Authority (PyPA) setuptools versions up to, but not including, 65.5.1. This includes users of the python-setuptools package in Fedora 37, specifically version 62.6.0, release 3.fc37. The vulnerability can cause a denial of service through crafted HTML content, resulting in a Regular Expression Denial of Service (ReDoS) in the package_index.py file.

What to do if CVE-2022-40897 affected you

If you're affected by the CVE-2022-40897 vulnerability, it's crucial to update your Python setuptools to version 65.5.1 or later. For Fedora 37 users, update the python-setuptools package using the following command: su -c 'dnf upgrade --advisory FEDORA-2023-60e2b22be0'.

Is this in CISA’s Known Exploited Vulnerabilities Catalog?

The CVE-2022-40897 vulnerability is not listed in CISA's Known Exploited Vulnerabilities Catalog. It affects Python Packaging Authority (PyPA) setuptools and can cause a denial of service through crafted HTML content.

Weakness Enumeration

The weakness enumeration for this vulnerability is categorized as CWE-1333, which is an inefficient regular expression complexity issue in PyPA setuptools' package\_index.py file.

Learn More

For comprehensive information on this vulnerability, including its description, severity, technical details, and known affected software configurations, visit the NVD page or refer to the sources below:

• pypa GitHub Repository

• Fedora 37 Update Notification