Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1xd21wLTJjZjItZzlnNs4AAwjr

pypa/wheel vulnerable to Regular Expression denial of service (ReDoS)

Python Packaging Authority (PyPA) Wheel is a reference implementation of the Python wheel packaging standard. Wheel 0.37.1 and earlier are vulnerable to a Regular Expression denial of service via attacker controlled input to the wheel cli. The vulnerable regex is used to verify the validity of Wheel file names. This has been patched in version 0.38.1.

Permalink: https://github.com/advisories/GHSA-qwmp-2cf2-g9g6
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xd21wLTJjZjItZzlnNs4AAwjr
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: over 1 year ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-qwmp-2cf2-g9g6, CVE-2022-40898
References:

Repository: https://github.com/pypa/wheel
Blast Radius: 36.6

Affected Packages

pypi:wheel

Dependent packages: 4,197
Dependent repositories: 76,418
Downloads: 222,339,079 last month
Affected Version Ranges: <= 0.37.1
Fixed in: 0.38.1
All affected versions: 0.4.1, 0.4.2, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 0.9.6, 0.9.7, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.11.0, 0.12.0, 0.13.0, 0.14.0, 0.15.0, 0.16.0, 0.17.0, 0.18.0, 0.19.0, 0.21.0, 0.22.0, 0.23.0, 0.24.0, 0.25.0, 0.26.0, 0.27.0, 0.28.0, 0.29.0, 0.30.0, 0.31.0, 0.31.1, 0.32.0, 0.32.1, 0.32.2, 0.32.3, 0.33.0, 0.33.1, 0.33.4, 0.33.5, 0.33.6, 0.34.0, 0.34.1, 0.34.2, 0.35.0, 0.35.1, 0.36.0, 0.36.1, 0.36.2, 0.37.0, 0.37.1
All unaffected versions: 0.38.0, 0.38.1, 0.38.2, 0.38.3, 0.38.4, 0.40.0, 0.41.0, 0.41.1, 0.41.2, 0.41.3, 0.42.0, 0.43.0