CVE-2022-42966: cleo is vulnerable to Regular Expression Denial of Service (ReDoS)
(updated )
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method.
References
- github.com/advisories/GHSA-2p9h-ccw7-33gf
- github.com/pypa/advisory-database/tree/main/vulns/cleo/PYSEC-2022-43178.yaml
- github.com/python-poetry/cleo
- github.com/python-poetry/cleo/commit/b5b9a04d2caf58bf7cf94eb7ae4a1ebbe60ea455
- github.com/python-poetry/cleo/pull/285
- github.com/python-poetry/cleo/releases/tag/2.0.0
- nvd.nist.gov/vuln/detail/CVE-2022-42966
- research.jfrog.com/vulnerabilities/cleo-redos-xray-257186
Code Behaviors & Features
Detect and mitigate CVE-2022-42966 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →