rpm package
suse/python-setuptools&distro=SUSE Linux Enterprise Module for Public Cloud 12
pkg:rpm/suse/python-setuptools&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2012
Vulnerabilities (8)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-47273 | — | < 40.6.2-4.27.1 | 40.6.2-4.27.1 | May 17, 2025 | setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on | ||
| CVE-2024-6345 | Hig | 8.8 | < 40.6.2-4.24.1 | 40.6.2-4.24.1 | Jul 15, 2024 | A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are suscepti | |
| CVE-2022-40897 | — | < 40.6.2-4.21.1 | 40.6.2-4.21.1 | Dec 22, 2022 | Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. | ||
| CVE-2019-20916 | — | < 40.6.2-4.18.1 | 40.6.2-4.18.1 | Sep 4, 2020 | The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _ | ||
| CVE-2018-1000808 | — | < 18.0.1-4.8.1 | 18.0.1-4.8.1 | Oct 8, 2018 | Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted. This attack appear to be exploit | ||
| CVE-2018-1000807 | — | < 18.0.1-4.8.1 | 18.0.1-4.8.1 | Oct 8, 2018 | Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitab | ||
| CVE-2016-9015 | Low | 3.7 | < 40.6.2-4.12.23 | 40.6.2-4.12.23 | Jan 11, 2017 | Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates. This places users of the library with those configurations at risk of man-in-the-middle and information lea | |
| CVE-2013-7440 | Med | 5.9 | < 1.1.7-7.1 | 1.1.7-7.1 | Jun 7, 2016 | The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate. |
- CVE-2025-47273May 17, 2025affected < 40.6.2-4.27.1fixed 40.6.2-4.27.1
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on
- affected < 40.6.2-4.24.1fixed 40.6.2-4.24.1
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are suscepti
- CVE-2022-40897Dec 22, 2022affected < 40.6.2-4.21.1fixed 40.6.2-4.21.1
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py.
- CVE-2019-20916Sep 4, 2020affected < 40.6.2-4.18.1fixed 40.6.2-4.18.1
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _
- CVE-2018-1000808Oct 8, 2018affected < 18.0.1-4.8.1fixed 18.0.1-4.8.1
Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted. This attack appear to be exploit
- CVE-2018-1000807Oct 8, 2018affected < 18.0.1-4.8.1fixed 18.0.1-4.8.1
Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitab
- affected < 40.6.2-4.12.23fixed 40.6.2-4.12.23
Versions 1.17 and 1.18 of the Python urllib3 library suffer from a vulnerability that can cause them, in certain configurations, to not correctly validate TLS certificates. This places users of the library with those configurations at risk of man-in-the-middle and information lea
- affected < 1.1.7-7.1fixed 1.1.7-7.1
The ssl.match_hostname function in CPython (aka Python) before 2.7.9 and 3.x before 3.3.3 does not properly handle wildcards in hostnames, which might allow man-in-the-middle attackers to spoof servers via a crafted certificate.