Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0ycDloLWNjdzctMzNnZs4AAvz0
cleo is vulnerable to Regular Expression Denial of Service (ReDoS)
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method.
Permalink: https://github.com/advisories/GHSA-2p9h-ccw7-33gfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0ycDloLWNjdzctMzNnZs4AAvz0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 1 year ago
Updated: 8 months ago
CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-2p9h-ccw7-33gf, CVE-2022-42966
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-42966
- https://research.jfrog.com/vulnerabilities/cleo-redos-xray-257186
- https://github.com/python-poetry/cleo/pull/285
- https://github.com/python-poetry/cleo/commit/b5b9a04d2caf58bf7cf94eb7ae4a1ebbe60ea455
- https://github.com/advisories/GHSA-2p9h-ccw7-33gf
Blast Radius: 19.3
Affected Packages
pypi:cleo
Dependent packages: 68Dependent repositories: 1,839
Downloads: 30,275,428 last month
Affected Version Ranges: <= 1.0.0a5
Fixed in: 1.0.0
All affected versions: 0.2.0, 0.2.1, 0.3.0, 0.4.0, 0.4.1, 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.6.4, 0.6.5, 0.6.6, 0.6.7, 0.6.8, 0.7.0, 0.7.1, 0.7.2, 0.7.3, 0.7.4, 0.7.5, 0.7.6, 0.8.0, 0.8.1, 1.0.0-a1, 1.0.0-a2, 1.0.0-a3, 1.0.0-a4, 1.0.0-a5
All unaffected versions: 1.0.0, 2.0.0, 2.0.1, 2.1.0