CVE-2022-39280 - Vulnerability Details - OpenCVE

dparse is a parser for Python dependency files. dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service. All the users parsing index server URLs with dparse are impacted by this vulnerability. A patch has been applied in version `0.5.2`, all the users are advised to upgrade to `0.5.2` as soon as possible. Users unable to upgrade should avoid passing index server URLs in the source file to be parsed.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Pyup	Dependency Parser

Configuration 1 [-]

cpe:2.3:a:pyup:dependency_parser:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/pyupio/dparse/commit/8c990170bbd6c0cf212f1151e9025486556062d5
https://github.com/pyupio/dparse/commit/d87364f9db9ab916451b1b036cfeb039e726e614
https://github.com/pyupio/dparse/security/advisories/GHSA-8fg9-p83m-x5pq
https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

History

Wed, 23 Apr 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2022-10-06T00:00:00.000Z

Updated: 2025-04-23T16:52:14.285Z

Reserved: 2022-09-02T00:00:00.000Z

Link: CVE-2022-39280

Vulnrichment

Updated: 2024-08-03T12:00:43.472Z

NVD

Status : Modified

Published: 2022-10-06T18:16:18.007

Modified: 2024-11-21T07:17:56.850

Link: CVE-2022-39280

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39280", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-04-23T16:52:14.285Z", "dateReserved": "2022-09-02T00:00:00.000Z", "datePublished": "2022-10-06T00:00:00.000Z"}, "containers": {"cna": {"title": "Regular expression denial of service in dparse", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-11T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "dparse is a parser for Python dependency files. dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service. All the users parsing index server URLs with dparse are impacted by this vulnerability. A patch has been applied in version `0.5.2`, all the users are advised to upgrade to `0.5.2` as soon as possible. Users unable to upgrade should avoid passing index server URLs in the source file to be parsed."}], "affected": [{"vendor": "pyupio", "product": "dparse", "versions": [{"version": "< 0.5.2", "status": "affected"}]}], "references": [{"url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"}, {"url": "https://github.com/pyupio/dparse/security/advisories/GHSA-8fg9-p83m-x5pq"}, {"url": "https://github.com/pyupio/dparse/commit/8c990170bbd6c0cf212f1151e9025486556062d5"}, {"url": "https://github.com/pyupio/dparse/commit/d87364f9db9ab916451b1b036cfeb039e726e614"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "cweId": "CWE-400"}]}], "source": {"advisory": "GHSA-8fg9-p83m-x5pq", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.472Z"}, "title": "CVE Program Container", "references": [{"url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS", "tags": ["x_transferred"]}, {"url": "https://github.com/pyupio/dparse/security/advisories/GHSA-8fg9-p83m-x5pq", "tags": ["x_transferred"]}, {"url": "https://github.com/pyupio/dparse/commit/8c990170bbd6c0cf212f1151e9025486556062d5", "tags": ["x_transferred"]}, {"url": "https://github.com/pyupio/dparse/commit/d87364f9db9ab916451b1b036cfeb039e726e614", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-23T13:56:40.078850Z", "id": "CVE-2022-39280", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T16:52:14.285Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-39280", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "dateUpdated": "2025-04-23T16:52:14.285Z", "dateReserved": "2022-09-02T00:00:00.000Z", "datePublished": "2022-10-06T00:00:00.000Z"}, "containers": {"cna": {"title": "Regular expression denial of service in dparse", "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2022-10-11T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "dparse is a parser for Python dependency files. dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service. All the users parsing index server URLs with dparse are impacted by this vulnerability. A patch has been applied in version `0.5.2`, all the users are advised to upgrade to `0.5.2` as soon as possible. Users unable to upgrade should avoid passing index server URLs in the source file to be parsed."}], "affected": [{"vendor": "pyupio", "product": "dparse", "versions": [{"version": "< 0.5.2", "status": "affected"}]}], "references": [{"url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"}, {"url": "https://github.com/pyupio/dparse/security/advisories/GHSA-8fg9-p83m-x5pq"}, {"url": "https://github.com/pyupio/dparse/commit/8c990170bbd6c0cf212f1151e9025486556062d5"}, {"url": "https://github.com/pyupio/dparse/commit/d87364f9db9ab916451b1b036cfeb039e726e614"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "cweId": "CWE-400"}]}], "source": {"advisory": "GHSA-8fg9-p83m-x5pq", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:00:43.472Z"}, "title": "CVE Program Container", "references": [{"url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS", "tags": ["x_transferred"]}, {"url": "https://github.com/pyupio/dparse/security/advisories/GHSA-8fg9-p83m-x5pq", "tags": ["x_transferred"]}, {"url": "https://github.com/pyupio/dparse/commit/8c990170bbd6c0cf212f1151e9025486556062d5", "tags": ["x_transferred"]}, {"url": "https://github.com/pyupio/dparse/commit/d87364f9db9ab916451b1b036cfeb039e726e614", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-39280", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-23T13:56:40.078850Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-23T13:56:41.507Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pyup:dependency_parser:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9AC6716-0EE7-4CB2-9787-BB97BDD6F1EA", "versionEndExcluding": "0.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "dparse is a parser for Python dependency files. dparse in versions before 0.5.2 contain a regular expression that is vulnerable to a Regular Expression Denial of Service. All the users parsing index server URLs with dparse are impacted by this vulnerability. A patch has been applied in version `0.5.2`, all the users are advised to upgrade to `0.5.2` as soon as possible. Users unable to upgrade should avoid passing index server URLs in the source file to be parsed."}, {"lang": "es", "value": "dparse es un analizador de archivos de dependencia de Python. dparse en versiones anteriores a 0.5.2, contiene una expresi\u00f3n regular que es vulnerable a una Denegaci\u00f3n de Servicio por Expresi\u00f3n Regular. Todos los usuarios que parseen URLs de servidores de \u00edndices con dparse est\u00e1n impactados por esta vulnerabilidad. Ha sido aplicado un parche en versi\u00f3n \"0.5.2\", Es recomendado a todos los usuarios actualizar a \"0.5.2\" lo antes posible. Los usuarios que no puedan actualizar deber\u00edan evitar pasar las URLs del servidor de \u00edndices en el archivo fuente a analizar"}], "id": "CVE-2022-39280", "lastModified": "2024-11-21T07:17:56.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-10-06T18:16:18.007", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pyupio/dparse/commit/8c990170bbd6c0cf212f1151e9025486556062d5"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pyupio/dparse/commit/d87364f9db9ab916451b1b036cfeb039e726e614"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/pyupio/dparse/security/advisories/GHSA-8fg9-p83m-x5pq"}, {"source": "security-advisories@github.com", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pyupio/dparse/commit/8c990170bbd6c0cf212f1151e9025486556062d5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/pyupio/dparse/commit/d87364f9db9ab916451b1b036cfeb039e726e614"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/pyupio/dparse/security/advisories/GHSA-8fg9-p83m-x5pq"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description", "Third Party Advisory"], "url": "https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}]}