2165866 – (CVE-2022-40899) CVE-2022-40899 python-future: remote attackers can cause denial of service via crafted Set-Cookie header from malicious web server

Bug 2165866 (CVE-2022-40899) - CVE-2022-40899 python-future: remote attackers can cause denial of service via crafted Set-Cookie header from malicious web server

Summary: CVE-2022-40899 python-future: remote attackers can cause denial of service vi...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-40899
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2166186 2166187 2166188 2166681 2168176 2168177 2168178 2168179 2218955
Blocks:	2165868
TreeView+	depends on / blocked

Reported:	2023-01-31 10:15 UTC by Dhananjay Arunesh
Modified:	2023-11-08 14:17 UTC (History)
CC List:	49 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2023-05-03 21:12:58 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:2101	None	None	None	2023-05-03 14:56:01 UTC
Red Hat Product Errata	RHSA-2023:4466	None	None	None	2023-08-03 13:30:19 UTC
Red Hat Product Errata	RHSA-2023:6818	None	None	None	2023-11-08 14:17:19 UTC

Description Dhananjay Arunesh 2023-01-31 10:15:56 UTC

An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial of service via crafted Set-Cookie header from malicious web server.

References:
https://pypi.org/project/future/
https://github.com/python/cpython/pull/17157
https://github.com/PythonCharmers/python-future/blob/master/src/future/backports/http/cookiejar.py#L215
https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/

Comment 6 errata-xmlrpc 2023-05-03 14:55:58 UTC

This issue has been addressed in the following products:

  RHUI 4 for RHEL 8

Via RHSA-2023:2101 https://access.redhat.com/errata/RHSA-2023:2101

Comment 7 Product Security DevOps Team 2023-05-03 21:12:54 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-40899

Comment 9 errata-xmlrpc 2023-08-03 13:30:16 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.13 for RHEL 8

Via RHSA-2023:4466 https://access.redhat.com/errata/RHSA-2023:4466

Comment 10 errata-xmlrpc 2023-11-08 14:17:16 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.14 for RHEL 8

Via RHSA-2023:6818 https://access.redhat.com/errata/RHSA-2023:6818

Note You need to log in before you can comment on or make changes to this bug.

akarol
apevec
bbuckingham
bcoca
bcourt
btotty
cwelton
davidn
dfreiber
dmetzger
eglynn
ehelms
epacific
gmccullo
gtanzill
jburrell
jcammara
jhardy
jjoyce
jneedle
jobarker
jsherril
lhh
lzap
mabashia
mburns
mgarciac
mhulan
mminar
nmoumoul
orabin
osapryki
pcreech
python-maint
rbiba
rchan
rhos-maint
rogbas
roliveri
rtillery
simaishi
smallamp
smcdonal
spower
sskracic
teagle
vkumar
yguenane
zsadeh