Vulnerability Description
The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. Note: This has been disputed by multiple third parties as not being reproduceable and they argue this is not a valid vulnerability.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pytest | Py | <= 1.11.0 |
Related Weaknesses (CWE)
References
- https://github.com/pytest-dev/py/blob/cb87a83960523a2367d0f19226a73aed4ce4291d/pProduct
- https://github.com/pytest-dev/py/issues/287ExploitIssue TrackingThird Party Advisory
- https://news.ycombinator.com/item?id=34163710Issue TrackingThird Party Advisory
- https://pypi.org/project/pyProduct
- https://github.com/pytest-dev/py/blob/cb87a83960523a2367d0f19226a73aed4ce4291d/pProduct
- https://github.com/pytest-dev/py/issues/287ExploitIssue TrackingThird Party Advisory
- https://news.ycombinator.com/item?id=34163710Issue TrackingThird Party Advisory
- https://pypi.org/project/pyProduct
FAQ
What is CVE-2022-42969?
CVE-2022-42969 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSv...
How severe is CVE-2022-42969?
CVE-2022-42969 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-42969?
Check the references section above for vendor advisories and patch information. Affected products include: Pytest Py.