| Name | CVE-2022-42966 |
| Description | An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| python-cleo (PTS) | bookworm | 2.0.1-5 | fixed |
| sid, trixie | 2.1.0-2 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| python-cleo | source | (unstable) | (not affected) |
- python-cleo <not-affected> (Vulnerable code introduced later; cf #1024018)
https://research.jfrog.com/vulnerabilities/cleo-redos-xray-257186/
https://github.com/python-poetry/cleo/issues/284
Introduced with: https://github.com/python-poetry/cleo/commit/de55578da25c6b1736b8b818f21c1bacf7c2475d (1.0.0a1)
Fixed by: https://github.com/python-poetry/cleo/commit/b5b9a04d2caf58bf7cf94eb7ae4a1ebbe60ea455