CVE-2022-42969

MEDIUM5.3

The py library through 1

Published Oct 16, 2022

Modified 8 months ago

No fix available

Details

The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. Note: This has been disputed by multiple third parties as not being reproduceable and they argue this is not a valid vulnerability.

References

WEBhttps://github.com/pytest-dev/py/blob/cb87a83960523a2367d0f19226a73aed4ce4291d/py/_path/svnurl.py#L316 WEBhttps://github.com/pytest-dev/py/issues/287 WEBhttps://news.ycombinator.com/item?id=34163710 WEBhttps://pypi.org/project/py ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2022-42969

CVSS Analysis

CVSS v3.1

5.3

Exploitability

Attack Complexity

LowAC:L

Attack Vector

NetworkAV:N

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Availability

LowA:L

Confidentiality

NoneC:N

Integrity

NoneI:N

5.3/CVSS:3.1/AC:L/AV:N/A:L/C:N/I:N/PR:N/S:U/UI:N

Ecosystems

Timeline

PublishedOct 16, 2022

ModifiedMay 14, 2025