CVE-2022-39280 - OpenCVE

dparse is a parser for Python dependency files. dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service. All the users parsing index server URLs with dparse are impacted by this vulnerability. A patch has been applied in version `0.5.2`, all the users are advised to upgrade to `0.5.2` as soon as possible. Users unable to upgrade should avoid passing index server URLs in the source file to be parsed.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pyup	Dependency Parser

Configuration 1 [-]

cpe:2.3:a:pyup:dependency_parser:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/pyupio/dparse/commit/8c990170bbd6c0cf212f1151e9025486556062d5
https://github.com/pyupio/dparse/commit/d87364f9db9ab916451b1b036cfeb039e726e614
https://github.com/pyupio/dparse/security/advisories/GHSA-8fg9-p83m-x5pq
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-10-06T00:00:00

Updated: 2024-08-03T12:00:43.472Z

Reserved: 2022-09-02T00:00:00

Link: CVE-2022-39280

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-10-06T18:16:18.007

Modified: 2023-07-11T21:01:55.217

Link: CVE-2022-39280

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39280", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2024-08-03T12:00:43.472Z", "dateReserved": "2022-09-02T00:00:00", "datePublished": "2022-10-06T00:00:00"}, "containers": {"cna": {"title": "Regular expression denial of service in dparse", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-11T00:00:00"}, "descriptions": [{"lang": "en", "value": "dparse is a parser for Python dependency files. dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service. All the users parsing index server URLs with dparse are impacted by this vulnerability. A patch has been applied in version `0.5.2`, all the users are advised to upgrade to `0.5.2` as soon as possible. Users unable to upgrade should avoid passing index server URLs in the source file to be parsed."}], "affected": [{"vendor": "pyupio", "product": "dparse", "versions": [{"version": "< 0.5.2", "status": "affected"}]}], "references": [{"url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"}, {"url": "https://github.com/pyupio/dparse/security/advisories/GHSA-8fg9-p83m-x5pq"}, {"url": "https://github.com/pyupio/dparse/commit/8c990170bbd6c0cf212f1151e9025486556062d5"}, {"url": "https://github.com/pyupio/dparse/commit/d87364f9db9ab916451b1b036cfeb039e726e614"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "cweId": "CWE-400"}]}], "source": {"advisory": "GHSA-8fg9-p83m-x5pq", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.472Z"}, "title": "CVE Program Container", "references": [{"url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS", "tags": ["x_transferred"]}, {"url": "https://github.com/pyupio/dparse/security/advisories/GHSA-8fg9-p83m-x5pq", "tags": ["x_transferred"]}, {"url": "https://github.com/pyupio/dparse/commit/8c990170bbd6c0cf212f1151e9025486556062d5", "tags": ["x_transferred"]}, {"url": "https://github.com/pyupio/dparse/commit/d87364f9db9ab916451b1b036cfeb039e726e614", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pyup:dependency_parser:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9AC6716-0EE7-4CB2-9787-BB97BDD6F1EA", "versionEndExcluding": "0.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "dparse is a parser for Python dependency files. dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service. All the users parsing index server URLs with dparse are impacted by this vulnerability. A patch has been applied in version `0.5.2`, all the users are advised to upgrade to `0.5.2` as soon as possible. Users unable to upgrade should avoid passing index server URLs in the source file to be parsed."}, {"lang": "es", "value": "dparse es un analizador de archivos de dependencia de Python. dparse en versiones anteriores a 0.5.2, contiene una expresi\u00f3n regular que es vulnerable a una Denegaci\u00f3n de Servicio por Expresi\u00f3n Regular. Todos los usuarios que parseen URLs de servidores de \u00edndices con dparse est\u00e1n impactados por esta vulnerabilidad. Ha sido aplicado un parche en versi\u00f3n \"0.5.2\", Es recomendado a todos los usuarios actualizar a \"0.5.2\" lo antes posible. Los usuarios que no puedan actualizar deber\u00edan evitar pasar las URLs del servidor de \u00edndices en el archivo fuente a analizar"}], "id": "CVE-2022-39280", "lastModified": "2023-07-11T21:01:55.217", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2022-10-06T18:16:18.007", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pyupio/dparse/commit/8c990170bbd6c0cf212f1151e9025486556062d5"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pyupio/dparse/commit/d87364f9db9ab916451b1b036cfeb039e726e614"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/pyupio/dparse/security/advisories/GHSA-8fg9-p83m-x5pq"}, {"source": "security-advisories@github.com", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}