GHSA-2p9h-ccw7-33gfMediumCVSS 5.9
cleo is vulnerable to Regular Expression Denial of Service (ReDoS)
🔗 CVE IDs covered (1)
📋 Description
An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method.
🎯 Affected products1
- pip/cleo:>= 1.0.0a1, < 2.0.0
🔗 References (7)
- https://nvd.nist.gov/vuln/detail/CVE-2022-42966
- https://research.jfrog.com/vulnerabilities/cleo-redos-xray-257186
- https://github.com/python-poetry/cleo/pull/285
- https://github.com/python-poetry/cleo/commit/b5b9a04d2caf58bf7cf94eb7ae4a1ebbe60ea455
- https://github.com/pypa/advisory-database/tree/main/vulns/cleo/PYSEC-2022-43178.yaml
- https://github.com/python-poetry/cleo/releases/tag/2.0.0
- https://github.com/advisories/GHSA-2p9h-ccw7-33gf