PyPi: Wheel

CVE-2022-40898

Safety vulnerability ID: 51499

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Dec 23, 2022 Updated at Aug 04, 2024
Scan your Python projects for vulnerabilities →

Advisory

Wheel 0.38.1 includes a fix for CVE-2022-40898: An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers to cause a denial of service via attacker controlled input to wheel cli.
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages

Affected package

wheel

Latest version: 0.44.0

A built-package format for Python

Affected versions

Fixed versions

Vulnerability changelog

- Dropped support for Python < 3.7
- Updated vendored ``packaging`` to 21.3
- Replaced all uses of ``distutils`` with ``setuptools``
- The handling of ``license_files`` (including glob patterns and default
values) is now delegated to ``setuptools>=57.0.0`` (466).
The package dependencies were updated to reflect this change.
- Fixed potential DoS attack via the ``WHEEL_INFO_RE`` regular expression
- Fixed ``ValueError: ZIP does not support timestamps before 1980`` when using
``SOURCE_DATE_EPOCH=0`` or when on-disk timestamps are earlier than 1980-01-01. Such
timestamps are now changed to the minimum value before packaging.

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Availability (A)
HIGH