Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-47273 (GCVE-0-2025-47273)
Vulnerability from cvelistv5 – Published: 2025-05-17 15:46 – Updated: 2025-05-28 15:03
VLAI
EPSS
Title
setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
Summary
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
Severity
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/pypa/setuptools/security/advis… | x_refsource_CONFIRM |
| https://github.com/pypa/setuptools/issues/4946 | x_refsource_MISC |
| https://github.com/pypa/setuptools/commit/250a6d1… | x_refsource_MISC |
| https://github.com/pypa/setuptools/blob/6ead555c5… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| pypa | setuptools |
Affected:
< 78.1.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47273",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-19T14:45:34.580341Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-19T14:45:39.012Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pypa/setuptools/issues/4946"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-05-28T15:03:15.516Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "setuptools",
"vendor": "pypa",
"versions": [
{
"status": "affected",
"version": "\u003c 78.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-17T15:46:11.399Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf"
},
{
"name": "https://github.com/pypa/setuptools/issues/4946",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pypa/setuptools/issues/4946"
},
{
"name": "https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b"
},
{
"name": "https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88"
}
],
"source": {
"advisory": "GHSA-5rjg-fvgr-3xxf",
"discovery": "UNKNOWN"
},
"title": "setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-47273",
"datePublished": "2025-05-17T15:46:11.399Z",
"dateReserved": "2025-05-05T16:53:10.372Z",
"dateUpdated": "2025-05-28T15:03:15.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-47273",
"date": "2026-05-30",
"epss": "0.0012",
"percentile": "0.30645"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-47273\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-05-17T16:15:19.110\",\"lastModified\":\"2025-06-12T16:29:01.660\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.\"},{\"lang\":\"es\",\"value\":\"setuptools es un paquete que permite a los usuarios descargar, compilar, instalar, actualizar y desinstalar paquetes de Python. Una vulnerabilidad de path traversal en `PackageIndex` est\u00e1 presente en setuptools anteriores a la versi\u00f3n 78.1.1. Un atacante podr\u00eda escribir archivos en ubicaciones arbitrarias del sistema de archivos con los permisos del proceso que ejecuta el c\u00f3digo Python, lo que podr\u00eda escalar a la ejecuci\u00f3n remota de c\u00f3digo seg\u00fan el contexto. La versi\u00f3n 78.1.1 corrige el problema.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:python:setuptools:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"78.1.1\",\"matchCriteriaId\":\"13259606-A39D-4A80-A4CE-8F1B27A5FFE5\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}],\"references\":[{\"url\":\"https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/pypa/setuptools/issues/4946\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://github.com/pypa/setuptools/issues/4946\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Issue Tracking\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2025-05-28T15:03:15.516Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-47273\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-19T14:45:34.580341Z\"}}}], \"references\": [{\"url\": \"https://github.com/pypa/setuptools/issues/4946\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-19T14:45:25.303Z\"}}], \"cna\": {\"title\": \"setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write\", \"source\": {\"advisory\": \"GHSA-5rjg-fvgr-3xxf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"pypa\", \"product\": \"setuptools\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 78.1.1\"}]}], \"references\": [{\"url\": \"https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf\", \"name\": \"https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/pypa/setuptools/issues/4946\", \"name\": \"https://github.com/pypa/setuptools/issues/4946\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b\", \"name\": \"https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88\", \"name\": \"https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-05-17T15:46:11.399Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-47273\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-28T15:03:15.516Z\", \"dateReserved\": \"2025-05-05T16:53:10.372Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-05-17T15:46:11.399Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
cleanstart-2026-nr68832
Vulnerability from cleanstart
Published
2026-01-30 16:22
Modified
2026-01-29 18:58
Summary
libexpat in Expat before 2
Details
Multiple security vulnerabilities affect the python3 package. libexpat in Expat before 2. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "python3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.11.14-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the python3 package. libexpat in Expat before 2. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-NR68832",
"modified": "2026-01-29T18:58:54Z",
"published": "2026-01-30T16:22:25.447471Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-NR68832"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-6345"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-47273"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-59375"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6345"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47273"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59375"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "libexpat in Expat before 2",
"upstream": [
"CVE-2024-6345",
"CVE-2025-47273",
"CVE-2025-59375"
]
}
FKIE_CVE-2025-47273
Vulnerability from fkie_nvd - Published: 2025-05-17 16:15 - Updated: 2025-06-12 16:29
Severity
Summary
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88 | Product | |
| security-advisories@github.com | https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b | Patch | |
| security-advisories@github.com | https://github.com/pypa/setuptools/issues/4946 | Exploit, Issue Tracking | |
| security-advisories@github.com | https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html | Mailing List | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/pypa/setuptools/issues/4946 | Exploit, Issue Tracking |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| python | setuptools | * | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:python:setuptools:*:*:*:*:*:*:*:*",
"matchCriteriaId": "13259606-A39D-4A80-A4CE-8F1B27A5FFE5",
"versionEndExcluding": "78.1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue."
},
{
"lang": "es",
"value": "setuptools es un paquete que permite a los usuarios descargar, compilar, instalar, actualizar y desinstalar paquetes de Python. Una vulnerabilidad de path traversal en `PackageIndex` est\u00e1 presente en setuptools anteriores a la versi\u00f3n 78.1.1. Un atacante podr\u00eda escribir archivos en ubicaciones arbitrarias del sistema de archivos con los permisos del proceso que ejecuta el c\u00f3digo Python, lo que podr\u00eda escalar a la ejecuci\u00f3n remota de c\u00f3digo seg\u00fan el contexto. La versi\u00f3n 78.1.1 corrige el problema."
}
],
"id": "CVE-2025-47273",
"lastModified": "2025-06-12T16:29:01.660",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "PROOF_OF_CONCEPT",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-05-17T16:15:19.110",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/pypa/setuptools/issues/4946"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/pypa/setuptools/issues/4946"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-5RJG-FVGR-3XXF
Vulnerability from github – Published: 2025-05-19 16:52 – Updated: 2025-06-13 04:13
VLAI
Summary
setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
Details
Summary
A path traversal vulnerability in PackageIndex was fixed in setuptools version 78.1.1
Details
def _download_url(self, url, tmpdir):
# Determine download filename
#
name, _fragment = egg_info_for_url(url)
if name:
while '..' in name:
name = name.replace('..', '.').replace('\\', '_')
else:
name = "__downloaded__" # default if URL has no path contents
if name.endswith('.[egg.zip](http://egg.zip/)'):
name = name[:-4] # strip the extra .zip before download
--> filename = os.path.join(tmpdir, name)
Here: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88
os.path.join() discards the first argument tmpdir if the second begins with a slash or drive letter.
name is derived from a URL without sufficient sanitization. While there is some attempt to sanitize by replacing instances of '..' with '.', it is insufficient.
Risk Assessment
As easy_install and package_index are deprecated, the exploitation surface is reduced. However, it seems this could be exploited in a similar fashion like https://github.com/advisories/GHSA-r9hx-vwmv-q579, and as described by POC 4 in https://github.com/advisories/GHSA-cx63-2mw6-8hw5 report: via malicious URLs present on the pages of a package index.
Impact
An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context.
References
https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5 https://github.com/pypa/setuptools/issues/4946
Severity
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "setuptools"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "78.1.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-47273"
],
"database_specific": {
"cwe_ids": [
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-19T16:52:43Z",
"nvd_published_at": "2025-05-17T16:15:19Z",
"severity": "HIGH"
},
"details": "### Summary \nA path traversal vulnerability in `PackageIndex` was fixed in setuptools version 78.1.1\n\n### Details\n```\n def _download_url(self, url, tmpdir):\n # Determine download filename\n #\n name, _fragment = egg_info_for_url(url)\n if name:\n while \u0027..\u0027 in name:\n name = name.replace(\u0027..\u0027, \u0027.\u0027).replace(\u0027\\\\\u0027, \u0027_\u0027)\n else:\n name = \"__downloaded__\" # default if URL has no path contents\n\n if name.endswith(\u0027.[egg.zip](http://egg.zip/)\u0027):\n name = name[:-4] # strip the extra .zip before download\n\n --\u003e filename = os.path.join(tmpdir, name)\n```\n\nHere: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88\n\n`os.path.join()` discards the first argument `tmpdir` if the second begins with a slash or drive letter.\n`name` is derived from a URL without sufficient sanitization. While there is some attempt to sanitize by replacing instances of \u0027..\u0027 with \u0027.\u0027, it is insufficient.\n\n### Risk Assessment\nAs easy_install and package_index are deprecated, the exploitation surface is reduced.\nHowever, it seems this could be exploited in a similar fashion like https://github.com/advisories/GHSA-r9hx-vwmv-q579, and as described by POC 4 in https://github.com/advisories/GHSA-cx63-2mw6-8hw5 report: via malicious URLs present on the pages of a package index.\n\n### Impact\nAn attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context.\n\n### References\nhttps://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5\nhttps://github.com/pypa/setuptools/issues/4946",
"id": "GHSA-5rjg-fvgr-3xxf",
"modified": "2025-06-13T04:13:22Z",
"published": "2025-05-19T16:52:43Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47273"
},
{
"type": "WEB",
"url": "https://github.com/pypa/setuptools/issues/4946"
},
{
"type": "WEB",
"url": "https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/setuptools/PYSEC-2025-49.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/pypa/setuptools"
},
{
"type": "WEB",
"url": "https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write"
}
MSRC_CVE-2025-47273
Vulnerability from csaf_microsoft - Published: 2025-05-02 00:00 - Updated: 2026-02-21 03:02Summary
setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
8.8 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 19458-17084 | — |
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17084-3 | — |
Vendor Fix
fix
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17086-2 | — | ||
| Unresolved product id: 17084-5 | — | ||
| Unresolved product id: 17086-6 | — | ||
| Unresolved product id: 17084-4 | — | ||
| Unresolved product id: 17084-1 | — |
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2025/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2025/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2025-47273 setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-47273.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write",
"tracking": {
"current_release_date": "2026-02-21T03:02:49.000Z",
"generator": {
"date": "2026-02-25T08:25:47.641Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2025-47273",
"initial_release_date": "2025-05-02T00:00:00.000Z",
"revision_history": [
{
"date": "2025-05-30T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2025-06-13T00:00:00.000Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Added python-setuptools to Azure Linux 3.0"
},
{
"date": "2026-02-21T03:02:49.000Z",
"legacy_version": "2",
"number": "3",
"summary": "Information published."
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
},
{
"category": "product_version",
"name": "3.0",
"product": {
"name": "Azure Linux 3.0",
"product_id": "17084"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cazl3 python-setuptools 69.0.3-5",
"product": {
"name": "\u003cazl3 python-setuptools 69.0.3-5",
"product_id": "3"
}
},
{
"category": "product_version",
"name": "azl3 python-setuptools 69.0.3-5",
"product": {
"name": "azl3 python-setuptools 69.0.3-5",
"product_id": "19458"
}
}
],
"category": "product_name",
"name": "python-setuptools"
},
{
"category": "product_name",
"name": "cbl2 python-virtualenv 20.26.6-1",
"product": {
"name": "cbl2 python-virtualenv 20.26.6-1",
"product_id": "2"
}
},
{
"category": "product_name",
"name": "azl3 python3 3.12.9-1",
"product": {
"name": "azl3 python3 3.12.9-1",
"product_id": "5"
}
},
{
"category": "product_name",
"name": "cbl2 python-virtualenv 20.26.6-1",
"product": {
"name": "cbl2 python-virtualenv 20.26.6-1",
"product_id": "6"
}
},
{
"category": "product_name",
"name": "azl3 tensorflow 2.16.1-9",
"product": {
"name": "azl3 tensorflow 2.16.1-9",
"product_id": "4"
}
},
{
"category": "product_name",
"name": "azl3 python-virtualenv 20.36.1-1",
"product": {
"name": "azl3 python-virtualenv 20.36.1-1",
"product_id": "1"
}
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 python-virtualenv 20.26.6-1 as a component of CBL Mariner 2.0",
"product_id": "17086-2"
},
"product_reference": "2",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 python3 3.12.9-1 as a component of Azure Linux 3.0",
"product_id": "17084-5"
},
"product_reference": "5",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 python-virtualenv 20.26.6-1 as a component of CBL Mariner 2.0",
"product_id": "17086-6"
},
"product_reference": "6",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cazl3 python-setuptools 69.0.3-5 as a component of Azure Linux 3.0",
"product_id": "17084-3"
},
"product_reference": "3",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 python-setuptools 69.0.3-5 as a component of Azure Linux 3.0",
"product_id": "19458-17084"
},
"product_reference": "19458",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 tensorflow 2.16.1-9 as a component of Azure Linux 3.0",
"product_id": "17084-4"
},
"product_reference": "4",
"relates_to_product_reference": "17084"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "azl3 python-virtualenv 20.36.1-1 as a component of Azure Linux 3.0",
"product_id": "17084-1"
},
"product_reference": "1",
"relates_to_product_reference": "17084"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47273",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0026#39;Path Traversal\u0026#39;)"
},
"flags": [
{
"label": "component_not_present",
"product_ids": [
"17084-4"
]
},
{
"label": "vulnerable_code_not_in_execute_path",
"product_ids": [
"17086-2",
"17084-5",
"17086-6",
"17084-1"
]
}
],
"notes": [
{
"category": "general",
"text": "GitHub_M",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"19458-17084"
],
"known_affected": [
"17084-3"
],
"known_not_affected": [
"17086-2",
"17084-5",
"17086-6",
"17084-4",
"17084-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-47273 setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2025/msrc_cve-2025-47273.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2025-05-30T00:00:00.000Z",
"details": "69.0.3-5:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17084-3"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"environmentalsScore": 0.0,
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 8.8,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"17084-3"
]
}
],
"title": "setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write"
}
]
}
OPENSUSE-SU-2026:10539-1
Vulnerability from csaf_opensuse - Published: 2026-04-13 00:00 - Updated: 2026-04-13 00:00Summary
oci-cli-3.76.2-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: oci-cli-3.76.2-1.1 on GA media
Description of the patch: These are all security issues fixed in the oci-cli-3.76.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10539
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
4.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
4.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
23 references
| URL | Category |
|---|---|
| https://www.suse.com/support/security/rating/ | external |
| https://ftp.suse.com/pub/projects/security/csaf/o… | self |
| https://www.suse.com/security/cve/CVE-2024-37891/ | self |
| https://www.suse.com/security/cve/CVE-2024-47081/ | self |
| https://www.suse.com/security/cve/CVE-2025-47273/ | self |
| https://www.suse.com/security/cve/CVE-2025-50181/ | self |
| https://www.suse.com/security/cve/CVE-2025-66418/ | self |
| https://www.suse.com/security/cve/CVE-2026-21441/ | self |
| https://www.suse.com/security/cve/CVE-2026-26007/ | self |
| https://www.suse.com/security/cve/CVE-2024-37891 | external |
| https://bugzilla.suse.com/1226469 | external |
| https://www.suse.com/security/cve/CVE-2024-47081 | external |
| https://bugzilla.suse.com/1244039 | external |
| https://www.suse.com/security/cve/CVE-2025-47273 | external |
| https://bugzilla.suse.com/1243313 | external |
| https://www.suse.com/security/cve/CVE-2025-50181 | external |
| https://bugzilla.suse.com/1244925 | external |
| https://www.suse.com/security/cve/CVE-2025-66418 | external |
| https://bugzilla.suse.com/1254866 | external |
| https://www.suse.com/security/cve/CVE-2026-21441 | external |
| https://bugzilla.suse.com/1256331 | external |
| https://www.suse.com/security/cve/CVE-2026-26007 | external |
| https://bugzilla.suse.com/1258074 | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "oci-cli-3.76.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the oci-cli-3.76.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10539",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10539-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-37891 page",
"url": "https://www.suse.com/security/cve/CVE-2024-37891/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-47081 page",
"url": "https://www.suse.com/security/cve/CVE-2024-47081/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-47273 page",
"url": "https://www.suse.com/security/cve/CVE-2025-47273/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-50181 page",
"url": "https://www.suse.com/security/cve/CVE-2025-50181/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-66418 page",
"url": "https://www.suse.com/security/cve/CVE-2025-66418/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-21441 page",
"url": "https://www.suse.com/security/cve/CVE-2026-21441/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-26007 page",
"url": "https://www.suse.com/security/cve/CVE-2026-26007/"
}
],
"title": "oci-cli-3.76.2-1.1 on GA media",
"tracking": {
"current_release_date": "2026-04-13T00:00:00Z",
"generator": {
"date": "2026-04-13T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10539-1",
"initial_release_date": "2026-04-13T00:00:00Z",
"revision_history": [
{
"date": "2026-04-13T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "oci-cli-3.76.2-1.1.aarch64",
"product": {
"name": "oci-cli-3.76.2-1.1.aarch64",
"product_id": "oci-cli-3.76.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "oci-cli-3.76.2-1.1.ppc64le",
"product": {
"name": "oci-cli-3.76.2-1.1.ppc64le",
"product_id": "oci-cli-3.76.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "oci-cli-3.76.2-1.1.s390x",
"product": {
"name": "oci-cli-3.76.2-1.1.s390x",
"product_id": "oci-cli-3.76.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "oci-cli-3.76.2-1.1.x86_64",
"product": {
"name": "oci-cli-3.76.2-1.1.x86_64",
"product_id": "oci-cli-3.76.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "oci-cli-3.76.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64"
},
"product_reference": "oci-cli-3.76.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oci-cli-3.76.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le"
},
"product_reference": "oci-cli-3.76.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oci-cli-3.76.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x"
},
"product_reference": "oci-cli-3.76.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "oci-cli-3.76.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
},
"product_reference": "oci-cli-3.76.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-37891",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-37891"
}
],
"notes": [
{
"category": "general",
"text": " urllib3 is a user-friendly HTTP client library for Python. When using urllib3\u0027s proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urllib3\u0027s proxy support, it\u0027s possible to accidentally configure the `Proxy-Authorization` header even though it won\u0027t have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn\u0027t treat the `Proxy-Authorization` HTTP header as one carrying authentication material and thus doesn\u0027t strip the header on cross-origin redirects. Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the `Proxy-Authorization` header during cross-origin redirects to avoid the small chance that users are doing this on accident. Users should use urllib3\u0027s proxy support or disable automatic redirects to achieve safe processing of the `Proxy-Authorization` header, but we still decided to strip the header by default in order to further protect users who aren\u0027t using the correct approach. We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited: 1. Setting the `Proxy-Authorization` header without using urllib3\u0027s built-in proxy support. 2. Not disabling HTTP redirects. 3. Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin. Users are advised to update to either version 1.26.19 or version 2.2.2. Users unable to upgrade may use the `Proxy-Authorization` header with urllib3\u0027s `ProxyManager`, disable HTTP redirects using `redirects=False` when sending requests, or not user the `Proxy-Authorization` header as mitigations.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-37891",
"url": "https://www.suse.com/security/cve/CVE-2024-37891"
},
{
"category": "external",
"summary": "SUSE Bug 1226469 for CVE-2024-37891",
"url": "https://bugzilla.suse.com/1226469"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-37891"
},
{
"cve": "CVE-2024-47081",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-47081"
}
],
"notes": [
{
"category": "general",
"text": "Requests is a HTTP library. Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Users should upgrade to version 2.32.4 to receive a fix. For older versions of Requests, use of the .netrc file can be disabled with `trust_env=False` on one\u0027s Requests Session.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-47081",
"url": "https://www.suse.com/security/cve/CVE-2024-47081"
},
{
"category": "external",
"summary": "SUSE Bug 1244039 for CVE-2024-47081",
"url": "https://bugzilla.suse.com/1244039"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-47081"
},
{
"cve": "CVE-2025-47273",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-47273"
}
],
"notes": [
{
"category": "general",
"text": "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-47273",
"url": "https://www.suse.com/security/cve/CVE-2025-47273"
},
{
"category": "external",
"summary": "SUSE Bug 1243313 for CVE-2025-47273",
"url": "https://bugzilla.suse.com/1243313"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2025-47273"
},
{
"cve": "CVE-2025-50181",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-50181"
}
],
"notes": [
{
"category": "general",
"text": "urllib3 is a user-friendly HTTP client library for Python. Prior to 2.5.0, it is possible to disable redirects for all requests by instantiating a PoolManager and specifying retries in a way that disable redirects. By default, requests and botocore users are not affected. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable. This issue has been patched in version 2.5.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-50181",
"url": "https://www.suse.com/security/cve/CVE-2025-50181"
},
{
"category": "external",
"summary": "SUSE Bug 1244925 for CVE-2025-50181",
"url": "https://bugzilla.suse.com/1244925"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-50181"
},
{
"cve": "CVE-2025-66418",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-66418"
}
],
"notes": [
{
"category": "general",
"text": "urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-66418",
"url": "https://www.suse.com/security/cve/CVE-2025-66418"
},
{
"category": "external",
"summary": "SUSE Bug 1254866 for CVE-2025-66418",
"url": "https://bugzilla.suse.com/1254866"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2025-66418"
},
{
"cve": "CVE-2026-21441",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-21441"
}
],
"notes": [
{
"category": "general",
"text": "urllib3 is an HTTP client library for Python. urllib3\u0027s streaming API is designed for the efficient handling of large HTTP responses by reading the content in chunks, rather than loading the entire response body into memory at once. urllib3 can perform decoding or decompression based on the HTTP `Content-Encoding` header (e.g., `gzip`, `deflate`, `br`, or `zstd`). When using the streaming API, the library decompresses only the necessary bytes, enabling partial content consumption. Starting in version 1.22 and prior to version 2.6.3, for HTTP redirect responses, the library would read the entire response body to drain the connection and decompress the content unnecessarily. This decompression occurred even before any read methods were called, and configured read limits did not restrict the amount of decompressed data. As a result, there was no safeguard against decompression bombs. A malicious server could exploit this to trigger excessive resource consumption on the client. Applications and libraries are affected when they stream content from untrusted sources by setting `preload_content=False` when they do not disable redirects. Users should upgrade to at least urllib3 v2.6.3, in which the library does not decode content of redirect responses when `preload_content=False`. If upgrading is not immediately possible, disable redirects by setting `redirect=False` for requests to untrusted source.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-21441",
"url": "https://www.suse.com/security/cve/CVE-2026-21441"
},
{
"category": "external",
"summary": "SUSE Bug 1256331 for CVE-2026-21441",
"url": "https://bugzilla.suse.com/1256331"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-21441"
},
{
"cve": "CVE-2026-26007",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-26007"
}
],
"notes": [
{
"category": "general",
"text": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor \u003e 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it\u0027s easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. This vulnerability is fixed in 46.0.5.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-26007",
"url": "https://www.suse.com/security/cve/CVE-2026-26007"
},
{
"category": "external",
"summary": "SUSE Bug 1258074 for CVE-2026-26007",
"url": "https://bugzilla.suse.com/1258074"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.aarch64",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.ppc64le",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.s390x",
"openSUSE Tumbleweed:oci-cli-3.76.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-04-13T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-26007"
}
]
}
PYSEC-2025-49
Vulnerability from pysec - Published: 2025-05-17 16:15 - Updated: 2025-06-12 22:23
VLAI
Details
setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in PackageIndex is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.
Severity
8.8 (High)
Impacted products
| Name | purl | setuptools | pkg:pypi/setuptools |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "setuptools",
"purl": "pkg:pypi/setuptools"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "250a6d17978f9f6ac3ac887091f2d32886fbbb0b"
}
],
"repo": "https://github.com/pypa/setuptools",
"type": "GIT"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "78.1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.6b1",
"0.6b2",
"0.6b3",
"0.6b4",
"0.6c1",
"0.6c10",
"0.6c11",
"0.6c2",
"0.6c3",
"0.6c4",
"0.6c5",
"0.6c6",
"0.6c7",
"0.6c8",
"0.6c9",
"0.7.2",
"0.7.3",
"0.7.4",
"0.7.5",
"0.7.6",
"0.7.7",
"0.7.8",
"0.8",
"0.9",
"0.9.1",
"0.9.2",
"0.9.3",
"0.9.4",
"0.9.5",
"0.9.6",
"0.9.7",
"0.9.8",
"1.0",
"1.1",
"1.1.1",
"1.1.2",
"1.1.3",
"1.1.4",
"1.1.5",
"1.1.6",
"1.1.7",
"1.2",
"1.3",
"1.3.1",
"1.3.2",
"1.4",
"1.4.1",
"1.4.2",
"10.0",
"10.0.1",
"10.1",
"10.2",
"10.2.1",
"11.0",
"11.1",
"11.2",
"11.3",
"11.3.1",
"12.0",
"12.0.1",
"12.0.2",
"12.0.3",
"12.0.4",
"12.0.5",
"12.1",
"12.2",
"12.3",
"12.4",
"13.0",
"13.0.1",
"13.0.2",
"14.0",
"14.1",
"14.1.1",
"14.2",
"14.3",
"14.3.1",
"15.0",
"15.1",
"15.2",
"16.0",
"17.0",
"17.1",
"17.1.1",
"18.0",
"18.0.1",
"18.1",
"18.2",
"18.3",
"18.3.1",
"18.3.2",
"18.4",
"18.5",
"18.6",
"18.6.1",
"18.7",
"18.7.1",
"18.8",
"18.8.1",
"19.0",
"19.1",
"19.1.1",
"19.2",
"19.3",
"19.4",
"19.4.1",
"19.5",
"19.6",
"19.6.1",
"19.6.2",
"19.7",
"2.0",
"2.0.1",
"2.0.2",
"2.1",
"2.1.1",
"2.1.2",
"2.2",
"20.0",
"20.1",
"20.1.1",
"20.10.1",
"20.2.2",
"20.3",
"20.3.1",
"20.4",
"20.6.6",
"20.6.7",
"20.6.8",
"20.7.0",
"20.8.0",
"20.8.1",
"20.9.0",
"21.0.0",
"21.1.0",
"21.2.0",
"21.2.1",
"21.2.2",
"22.0.0",
"22.0.1",
"22.0.2",
"22.0.4",
"22.0.5",
"23.0.0",
"23.1.0",
"23.2.0",
"23.2.1",
"24.0.0",
"24.0.1",
"24.0.2",
"24.0.3",
"24.1.0",
"24.1.1",
"24.2.0",
"24.2.1",
"24.3.0",
"24.3.1",
"25.0.0",
"25.0.1",
"25.0.2",
"25.1.0",
"25.1.1",
"25.1.2",
"25.1.3",
"25.1.4",
"25.1.5",
"25.1.6",
"25.2.0",
"25.3.0",
"25.4.0",
"26.0.0",
"26.1.0",
"26.1.1",
"27.0.0",
"27.1.0",
"27.1.2",
"27.2.0",
"27.3.0",
"27.3.1",
"28.0.0",
"28.1.0",
"28.2.0",
"28.3.0",
"28.4.0",
"28.5.0",
"28.6.0",
"28.6.1",
"28.7.0",
"28.7.1",
"28.8.0",
"28.8.1",
"29.0.0",
"29.0.1",
"3.0",
"3.0.1",
"3.0.2",
"3.1",
"3.2",
"3.3",
"3.4",
"3.4.1",
"3.4.2",
"3.4.3",
"3.4.4",
"3.5",
"3.5.1",
"3.5.2",
"3.6",
"3.7",
"3.7.1",
"3.8",
"3.8.1",
"30.0.0",
"30.1.0",
"30.2.0",
"30.2.1",
"30.3.0",
"30.4.0",
"31.0.0",
"31.0.1",
"32.0.0",
"32.1.0",
"32.1.1",
"32.1.2",
"32.1.3",
"32.2.0",
"32.3.0",
"32.3.1",
"33.1.0",
"33.1.1",
"34.0.0",
"34.0.1",
"34.0.2",
"34.0.3",
"34.1.0",
"34.1.1",
"34.2.0",
"34.3.0",
"34.3.1",
"34.3.2",
"34.3.3",
"34.4.0",
"34.4.1",
"35.0.0",
"35.0.1",
"35.0.2",
"36.0.1",
"36.1.0",
"36.1.1",
"36.2.0",
"36.2.1",
"36.2.2",
"36.2.3",
"36.2.4",
"36.2.5",
"36.2.6",
"36.2.7",
"36.3.0",
"36.4.0",
"36.5.0",
"36.6.0",
"36.6.1",
"36.7.0",
"36.7.1",
"36.7.2",
"36.8.0",
"37.0.0",
"38.0.0",
"38.1.0",
"38.2.0",
"38.2.1",
"38.2.3",
"38.2.4",
"38.2.5",
"38.3.0",
"38.4.0",
"38.4.1",
"38.5.0",
"38.5.1",
"38.5.2",
"38.6.0",
"38.6.1",
"38.7.0",
"39.0.0",
"39.0.1",
"39.1.0",
"39.2.0",
"4.0",
"4.0.1",
"40.0.0",
"40.1.0",
"40.1.1",
"40.2.0",
"40.3.0",
"40.4.0",
"40.4.1",
"40.4.2",
"40.4.3",
"40.5.0",
"40.6.0",
"40.6.1",
"40.6.2",
"40.6.3",
"40.7.0",
"40.7.1",
"40.7.2",
"40.7.3",
"40.8.0",
"40.9.0",
"41.0.0",
"41.0.1",
"41.1.0",
"41.2.0",
"41.3.0",
"41.4.0",
"41.5.0",
"41.5.1",
"41.6.0",
"42.0.0",
"42.0.1",
"42.0.2",
"43.0.0",
"44.0.0",
"44.1.0",
"44.1.1",
"45.0.0",
"45.1.0",
"45.2.0",
"45.3.0",
"46.0.0",
"46.1.0",
"46.1.1",
"46.1.2",
"46.1.3",
"46.2.0",
"46.3.0",
"46.3.1",
"46.4.0",
"47.0.0",
"47.1.0",
"47.1.1",
"47.2.0",
"47.3.0",
"47.3.1",
"47.3.2",
"48.0.0",
"49.0.0",
"49.0.1",
"49.1.0",
"49.1.1",
"49.1.2",
"49.1.3",
"49.2.0",
"49.2.1",
"49.3.0",
"49.3.1",
"49.3.2",
"49.4.0",
"49.5.0",
"49.6.0",
"5.0",
"5.0.1",
"5.0.2",
"5.1",
"5.2",
"5.3",
"5.4",
"5.4.1",
"5.4.2",
"5.5",
"5.5.1",
"5.6",
"5.7",
"5.8",
"50.0.0",
"50.0.1",
"50.0.2",
"50.0.3",
"50.1.0",
"50.2.0",
"50.3.0",
"50.3.1",
"50.3.2",
"51.0.0",
"51.1.0",
"51.1.0.post20201221",
"51.1.1",
"51.1.2",
"51.2.0",
"51.3.0",
"51.3.1",
"51.3.2",
"51.3.3",
"52.0.0",
"53.0.0",
"53.1.0",
"54.0.0",
"54.1.0",
"54.1.1",
"54.1.2",
"54.1.3",
"54.2.0",
"56.0.0",
"56.1.0",
"56.2.0",
"57.0.0",
"57.1.0",
"57.2.0",
"57.3.0",
"57.4.0",
"57.5.0",
"58.0.0",
"58.0.1",
"58.0.2",
"58.0.3",
"58.0.4",
"58.1.0",
"58.2.0",
"58.3.0",
"58.4.0",
"58.5.0",
"58.5.1",
"58.5.2",
"58.5.3",
"59.0.1",
"59.1.0",
"59.1.1",
"59.2.0",
"59.3.0",
"59.4.0",
"59.5.0",
"59.6.0",
"59.7.0",
"59.8.0",
"6.0.1",
"6.0.2",
"6.1",
"60.0.0",
"60.0.1",
"60.0.2",
"60.0.3",
"60.0.4",
"60.0.5",
"60.1.0",
"60.1.1",
"60.10.0",
"60.2.0",
"60.3.0",
"60.3.1",
"60.4.0",
"60.5.0",
"60.6.0",
"60.7.0",
"60.7.1",
"60.8.0",
"60.8.1",
"60.8.2",
"60.9.0",
"60.9.1",
"60.9.2",
"60.9.3",
"61.0.0",
"61.1.0",
"61.1.1",
"61.2.0",
"61.3.0",
"61.3.1",
"62.0.0",
"62.1.0",
"62.2.0",
"62.3.0",
"62.3.1",
"62.3.2",
"62.3.3",
"62.3.4",
"62.4.0",
"62.5.0",
"62.6.0",
"63.0.0",
"63.0.0b1",
"63.1.0",
"63.2.0",
"63.3.0",
"63.4.0",
"63.4.1",
"63.4.2",
"63.4.3",
"64.0.0",
"64.0.1",
"64.0.2",
"64.0.3",
"65.0.0",
"65.0.1",
"65.0.2",
"65.1.0",
"65.1.1",
"65.2.0",
"65.3.0",
"65.4.0",
"65.4.1",
"65.5.0",
"65.5.1",
"65.6.0",
"65.6.1",
"65.6.2",
"65.6.3",
"65.7.0",
"66.0.0",
"66.1.0",
"66.1.1",
"67.0.0",
"67.1.0",
"67.2.0",
"67.3.1",
"67.3.2",
"67.3.3",
"67.4.0",
"67.5.0",
"67.5.1",
"67.6.0",
"67.6.1",
"67.7.0",
"67.7.1",
"67.7.2",
"67.8.0",
"68.0.0",
"68.1.0",
"68.1.2",
"68.2.0",
"68.2.1",
"68.2.2",
"69.0.0",
"69.0.1",
"69.0.2",
"69.0.3",
"69.1.0",
"69.1.1",
"69.2.0",
"69.3.0",
"69.3.1",
"69.4.0",
"69.4.1",
"69.4.2",
"69.5.0",
"69.5.1",
"7.0",
"70.0.0",
"70.1.0",
"70.1.1",
"70.2.0",
"70.3.0",
"71.0.0",
"71.0.1",
"71.0.2",
"71.0.3",
"71.0.4",
"71.1.0",
"72.0.0",
"72.1.0",
"72.2.0",
"73.0.0",
"73.0.1",
"74.0.0",
"74.1.0",
"74.1.1",
"74.1.2",
"74.1.3",
"75.0.0",
"75.1.0",
"75.2.0",
"75.3.0",
"75.3.1",
"75.3.2",
"75.4.0",
"75.5.0",
"75.6.0",
"75.7.0",
"75.8.0",
"75.8.1",
"75.8.2",
"75.9.0",
"75.9.1",
"76.0.0",
"76.1.0",
"77.0.1",
"77.0.3",
"78.0.1",
"78.0.2",
"78.1.0",
"8.0",
"8.0.1",
"8.0.2",
"8.0.3",
"8.0.4",
"8.1",
"8.2",
"8.2.1",
"8.3",
"9.0",
"9.0.1",
"9.1"
]
}
],
"aliases": [
"CVE-2025-47273",
"GHSA-5rjg-fvgr-3xxf"
],
"details": "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.",
"id": "PYSEC-2025-49",
"modified": "2025-06-12T22:23:11.115559+00:00",
"published": "2025-05-17T16:15:19+00:00",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf"
},
{
"type": "ARTICLE",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00035.html"
},
{
"type": "EVIDENCE",
"url": "https://github.com/pypa/setuptools/issues/4946"
},
{
"type": "EVIDENCE",
"url": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf"
},
{
"type": "FIX",
"url": "https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b"
},
{
"type": "REPORT",
"url": "https://github.com/pypa/setuptools/issues/4946"
},
{
"type": "WEB",
"url": "https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
RHSA-2025:10407
Vulnerability from csaf_redhat - Published: 2025-07-07 12:06 - Updated: 2026-04-30 13:31Summary
Red Hat Security Advisory: python-setuptools security update
Severity
Moderate
Notes
Topic: An update for python-setuptools is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.
Security Fix(es):
* setuptools: Path Traversal Vulnerability in setuptools PackageIndex (CVE-2025-47273)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path traversal vulnerability in the Python setuptools library allows attackers with limited system access to write files outside the intended temporary directory by manipulating package download URLs. This flaw bypasses basic filename sanitization and can lead to unauthorized overwrites of important system files, creating opportunities for further compromise. While it doesn't expose data or require user interaction, it poses a high integrity risk and is especially concerning in environments that rely on automated package handling or internal tooling built on setuptools.
7.1 (High)
Affected products
Fixed
3 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: BaseOS-9.6.0.Z.MAIN.EUS:python-setuptools-0:53.0.0-13.el9_6.1.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.6.0.Z.MAIN.EUS:python3-setuptools-0:53.0.0-13.el9_6.1.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: BaseOS-9.6.0.Z.MAIN.EUS:python3-setuptools-wheel-0:53.0.0-13.el9_6.1.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
12 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2025:10407 | self |
| https://access.redhat.com/security/updates/classi… | external |
| https://bugzilla.redhat.com/show_bug.cgi?id=2366982 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2025-47273 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2366982 | external |
| https://www.cve.org/CVERecord?id=CVE-2025-47273 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2025-47273 | external |
| https://github.com/pypa/setuptools/blob/6ead555c5… | external |
| https://github.com/pypa/setuptools/commit/250a6d1… | external |
| https://github.com/pypa/setuptools/issues/4946 | external |
| https://github.com/pypa/setuptools/security/advis… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for python-setuptools is now available for Red Hat Enterprise Linux 9.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.\n\nSecurity Fix(es):\n\n* setuptools: Path Traversal Vulnerability in setuptools PackageIndex (CVE-2025-47273)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:10407",
"url": "https://access.redhat.com/errata/RHSA-2025:10407"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "2366982",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366982"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10407.json"
}
],
"title": "Red Hat Security Advisory: python-setuptools security update",
"tracking": {
"current_release_date": "2026-04-30T13:31:28+00:00",
"generator": {
"date": "2026-04-30T13:31:28+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2025:10407",
"initial_release_date": "2025-07-07T12:06:41+00:00",
"revision_history": [
{
"date": "2025-07-07T12:06:41+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-07-07T12:06:41+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-30T13:31:28+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux BaseOS (v. 9)",
"product": {
"name": "Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.6.0.Z.MAIN.EUS",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:9::baseos"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "python-setuptools-0:53.0.0-13.el9_6.1.src",
"product": {
"name": "python-setuptools-0:53.0.0-13.el9_6.1.src",
"product_id": "python-setuptools-0:53.0.0-13.el9_6.1.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python-setuptools@53.0.0-13.el9_6.1?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "python3-setuptools-0:53.0.0-13.el9_6.1.noarch",
"product": {
"name": "python3-setuptools-0:53.0.0-13.el9_6.1.noarch",
"product_id": "python3-setuptools-0:53.0.0-13.el9_6.1.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-setuptools@53.0.0-13.el9_6.1?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "python3-setuptools-wheel-0:53.0.0-13.el9_6.1.noarch",
"product": {
"name": "python3-setuptools-wheel-0:53.0.0-13.el9_6.1.noarch",
"product_id": "python3-setuptools-wheel-0:53.0.0-13.el9_6.1.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/python3-setuptools-wheel@53.0.0-13.el9_6.1?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python-setuptools-0:53.0.0-13.el9_6.1.src as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.6.0.Z.MAIN.EUS:python-setuptools-0:53.0.0-13.el9_6.1.src"
},
"product_reference": "python-setuptools-0:53.0.0-13.el9_6.1.src",
"relates_to_product_reference": "BaseOS-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-setuptools-0:53.0.0-13.el9_6.1.noarch as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.6.0.Z.MAIN.EUS:python3-setuptools-0:53.0.0-13.el9_6.1.noarch"
},
"product_reference": "python3-setuptools-0:53.0.0-13.el9_6.1.noarch",
"relates_to_product_reference": "BaseOS-9.6.0.Z.MAIN.EUS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python3-setuptools-wheel-0:53.0.0-13.el9_6.1.noarch as a component of Red Hat Enterprise Linux BaseOS (v. 9)",
"product_id": "BaseOS-9.6.0.Z.MAIN.EUS:python3-setuptools-wheel-0:53.0.0-13.el9_6.1.noarch"
},
"product_reference": "python3-setuptools-wheel-0:53.0.0-13.el9_6.1.noarch",
"relates_to_product_reference": "BaseOS-9.6.0.Z.MAIN.EUS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47273",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-05-17T16:00:41.145177+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2366982"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability in the Python setuptools library allows attackers with limited system access to write files outside the intended temporary directory by manipulating package download URLs. This flaw bypasses basic filename sanitization and can lead to unauthorized overwrites of important system files, creating opportunities for further compromise. While it doesn\u0027t expose data or require user interaction, it poses a high integrity risk and is especially concerning in environments that rely on automated package handling or internal tooling built on setuptools.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "setuptools: Path Traversal Vulnerability in setuptools PackageIndex",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Product Security has rated this vulnerability \"Moderate\" based on the impact of the damage caused by a successful exploitation and the pre-requisites.\n\n* Exploitation requires that the attacker have limited code execution access to a Python environment where they can trigger the vulnerable PackageIndex.download() function\u2014this might be via a script, plugin, or automated job. Full admin rights aren\u0027t needed but a user with no access at all will be unable to exploit this vulnerability.\n* The vulnerability impacts the integrity of the system within the same security boundary\u2014it does not enable access or compromise across trust boundaries (e.g., from one container to another or from user space to kernel).\n* Successful exploitation only allows the attacker to \"create\" new files. The vulnerability does not provide access to existing files and by an extension to any confidential information. \n* Arbitrary file writes can overwrite critical config files, executables, or scripts. This can lead to persistent code execution, system misconfiguration, or unauthorized behavior, especially in automated environments. While overwriting critical files could theoretically lead to service disruption, the vulnerability in isolation does not inherently cause denial of service. The exploit doesn\u0027t target availability directly, and in many cases, systems may continue running.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"BaseOS-9.6.0.Z.MAIN.EUS:python-setuptools-0:53.0.0-13.el9_6.1.src",
"BaseOS-9.6.0.Z.MAIN.EUS:python3-setuptools-0:53.0.0-13.el9_6.1.noarch",
"BaseOS-9.6.0.Z.MAIN.EUS:python3-setuptools-wheel-0:53.0.0-13.el9_6.1.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47273"
},
{
"category": "external",
"summary": "RHBZ#2366982",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366982"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47273",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47273"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47273",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47273"
},
{
"category": "external",
"summary": "https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88",
"url": "https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88"
},
{
"category": "external",
"summary": "https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b",
"url": "https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b"
},
{
"category": "external",
"summary": "https://github.com/pypa/setuptools/issues/4946",
"url": "https://github.com/pypa/setuptools/issues/4946"
},
{
"category": "external",
"summary": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf",
"url": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf"
}
],
"release_date": "2025-05-17T15:46:11.399000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-07T12:06:41+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"BaseOS-9.6.0.Z.MAIN.EUS:python-setuptools-0:53.0.0-13.el9_6.1.src",
"BaseOS-9.6.0.Z.MAIN.EUS:python3-setuptools-0:53.0.0-13.el9_6.1.noarch",
"BaseOS-9.6.0.Z.MAIN.EUS:python3-setuptools-wheel-0:53.0.0-13.el9_6.1.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10407"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"BaseOS-9.6.0.Z.MAIN.EUS:python-setuptools-0:53.0.0-13.el9_6.1.src",
"BaseOS-9.6.0.Z.MAIN.EUS:python3-setuptools-0:53.0.0-13.el9_6.1.noarch",
"BaseOS-9.6.0.Z.MAIN.EUS:python3-setuptools-wheel-0:53.0.0-13.el9_6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"BaseOS-9.6.0.Z.MAIN.EUS:python-setuptools-0:53.0.0-13.el9_6.1.src",
"BaseOS-9.6.0.Z.MAIN.EUS:python3-setuptools-0:53.0.0-13.el9_6.1.noarch",
"BaseOS-9.6.0.Z.MAIN.EUS:python3-setuptools-wheel-0:53.0.0-13.el9_6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "setuptools: Path Traversal Vulnerability in setuptools PackageIndex"
}
]
}
RHSA-2025:10787
Vulnerability from csaf_redhat - Published: 2025-07-10 10:31 - Updated: 2026-03-10 16:02Summary
Red Hat Security Advisory: Red Hat OpenShift Builds 1.4.1
Severity
Moderate
Notes
Topic: Red Hat OpenShift Builds 1.4.1 release
Details: Releases of Red Hat OpenShift Builds 1.4.1
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path traversal vulnerability in the Python setuptools library allows attackers with limited system access to write files outside the intended temporary directory by manipulating package download URLs. This flaw bypasses basic filename sanitization and can lead to unauthorized overwrites of important system files, creating opportunities for further compromise. While it doesn't expose data or require user interaction, it poses a high integrity risk and is especially concerning in environments that rely on automated package handling or internal tooling built on setuptools.
7.1 (High)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:427f633ade9e76cb30c23e77ef39eb9a566a2ab20b60e63fa6b6889635ac48d7_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:dfb452f8cabd785196c74eac3caeeb0b302ea84a851f6efa36165cd6b44dcd6a_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:f3e47ce04990e4cac429c8b70f9ec37ec331a7414d1aa5b57224507e7eb664df_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:ffcd67bd8421a61c271f84abbfcc3e49b48f2e2084f04e30f497f16b02577383_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:308b1fac2a46c02df4269dce9556b51c4486834dc860e2c4f286b2c7779e17eb_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:6415c4e9af5ba7221a9fecef531c295079744d5a4c36910ee4d3a34868e3f4b5_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:a6937042cb5b024a49298517c159a25c520eb9fafa54219a6b375d3ad906e3f3_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:ba8448e9496528b2effea0bb08354397d2ef6598d6004d6dcf9b1f6205488533_arm64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-operator-bundle@sha256:3b93fb221cc377efc4a601a3ce553ec2cda31721392fe863b270dc6691c6bf1e_amd64 | — |
Workaround
|
|
| Unresolved product id: Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:59e5c28c3de79b282937d2b373adedae5365b6afd433c3d5642817776dc4b8d9_arm64 | — |
Workaround
|
|
| Unresolved product id: Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:62336301b8aa91c76d722ff14b392781722d601edf952987e65536ef263e20f2_s390x | — |
Workaround
|
|
| Unresolved product id: Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:8deb57a0cecea893345898439b7e429ea63ae6d3cb7b1a3c8f8cbaeba4f8b173_ppc64le | — |
Workaround
|
|
| Unresolved product id: Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:9f07560b4dc919605d7271a2fda9d15c24dd022d2726c0268e7042935df208af_amd64 | — |
Workaround
|
Threats
Impact
Moderate
References
13 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2025:10787 | self |
| https://access.redhat.com/security/cve/CVE-2025-47273 | external |
| https://access.redhat.com/security/updates/classi… | external |
| https://docs.redhat.com/en/documentation/builds_f… | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2025-47273 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2366982 | external |
| https://www.cve.org/CVERecord?id=CVE-2025-47273 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2025-47273 | external |
| https://github.com/pypa/setuptools/blob/6ead555c5… | external |
| https://github.com/pypa/setuptools/commit/250a6d1… | external |
| https://github.com/pypa/setuptools/issues/4946 | external |
| https://github.com/pypa/setuptools/security/advis… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat OpenShift Builds 1.4.1 release",
"title": "Topic"
},
{
"category": "general",
"text": "Releases of Red Hat OpenShift Builds 1.4.1",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:10787",
"url": "https://access.redhat.com/errata/RHSA-2025:10787"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-47273",
"url": "https://access.redhat.com/security/cve/CVE-2025-47273"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/builds_for_red_hat_openshift/1.4",
"url": "https://docs.redhat.com/en/documentation/builds_for_red_hat_openshift/1.4"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10787.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift Builds 1.4.1",
"tracking": {
"current_release_date": "2026-03-10T16:02:09+00:00",
"generator": {
"date": "2026-03-10T16:02:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.2"
}
},
"id": "RHSA-2025:10787",
"initial_release_date": "2025-07-10T10:31:35+00:00",
"revision_history": [
{
"date": "2025-07-10T10:31:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-07-10T10:31:44+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-10T16:02:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Builds for Red Hat OpenShift 1.4.1",
"product": {
"name": "Builds for Red Hat OpenShift 1.4.1",
"product_id": "Builds for Red Hat OpenShift 1.4.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_builds:1.4::el9"
}
}
}
],
"category": "product_family",
"name": "Builds for Red Hat OpenShift"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:9f07560b4dc919605d7271a2fda9d15c24dd022d2726c0268e7042935df208af_amd64",
"product": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:9f07560b4dc919605d7271a2fda9d15c24dd022d2726c0268e7042935df208af_amd64",
"product_id": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:9f07560b4dc919605d7271a2fda9d15c24dd022d2726c0268e7042935df208af_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-builds-rhel9-operator@sha256%3A9f07560b4dc919605d7271a2fda9d15c24dd022d2726c0268e7042935df208af?arch=amd64\u0026repository_url=registry.redhat.io/openshift-builds\u0026tag=1.4.1-1751964359"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-builds/openshift-builds-operator-bundle@sha256:3b93fb221cc377efc4a601a3ce553ec2cda31721392fe863b270dc6691c6bf1e_amd64",
"product": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-operator-bundle@sha256:3b93fb221cc377efc4a601a3ce553ec2cda31721392fe863b270dc6691c6bf1e_amd64",
"product_id": "registry.redhat.io/openshift-builds/openshift-builds-operator-bundle@sha256:3b93fb221cc377efc4a601a3ce553ec2cda31721392fe863b270dc6691c6bf1e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-builds-operator-bundle@sha256%3A3b93fb221cc377efc4a601a3ce553ec2cda31721392fe863b270dc6691c6bf1e?arch=amd64\u0026repository_url=registry.redhat.io/openshift-builds\u0026tag=1.4.1-1752134965"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:f3e47ce04990e4cac429c8b70f9ec37ec331a7414d1aa5b57224507e7eb664df_amd64",
"product": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:f3e47ce04990e4cac429c8b70f9ec37ec331a7414d1aa5b57224507e7eb664df_amd64",
"product_id": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:f3e47ce04990e4cac429c8b70f9ec37ec331a7414d1aa5b57224507e7eb664df_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-builds-shared-resource-rhel9@sha256%3Af3e47ce04990e4cac429c8b70f9ec37ec331a7414d1aa5b57224507e7eb664df?arch=amd64\u0026repository_url=registry.redhat.io/openshift-builds\u0026tag=1.4.1-1751884063"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:308b1fac2a46c02df4269dce9556b51c4486834dc860e2c4f286b2c7779e17eb_amd64",
"product": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:308b1fac2a46c02df4269dce9556b51c4486834dc860e2c4f286b2c7779e17eb_amd64",
"product_id": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:308b1fac2a46c02df4269dce9556b51c4486834dc860e2c4f286b2c7779e17eb_amd64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-builds-shared-resource-webhook-rhel9@sha256%3A308b1fac2a46c02df4269dce9556b51c4486834dc860e2c4f286b2c7779e17eb?arch=amd64\u0026repository_url=registry.redhat.io/openshift-builds\u0026tag=1.4.1-1751884061"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:59e5c28c3de79b282937d2b373adedae5365b6afd433c3d5642817776dc4b8d9_arm64",
"product": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:59e5c28c3de79b282937d2b373adedae5365b6afd433c3d5642817776dc4b8d9_arm64",
"product_id": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:59e5c28c3de79b282937d2b373adedae5365b6afd433c3d5642817776dc4b8d9_arm64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-builds-rhel9-operator@sha256%3A59e5c28c3de79b282937d2b373adedae5365b6afd433c3d5642817776dc4b8d9?arch=arm64\u0026repository_url=registry.redhat.io/openshift-builds\u0026tag=1.4.1-1751964359"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:427f633ade9e76cb30c23e77ef39eb9a566a2ab20b60e63fa6b6889635ac48d7_arm64",
"product": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:427f633ade9e76cb30c23e77ef39eb9a566a2ab20b60e63fa6b6889635ac48d7_arm64",
"product_id": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:427f633ade9e76cb30c23e77ef39eb9a566a2ab20b60e63fa6b6889635ac48d7_arm64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-builds-shared-resource-rhel9@sha256%3A427f633ade9e76cb30c23e77ef39eb9a566a2ab20b60e63fa6b6889635ac48d7?arch=arm64\u0026repository_url=registry.redhat.io/openshift-builds\u0026tag=1.4.1-1751884063"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:ba8448e9496528b2effea0bb08354397d2ef6598d6004d6dcf9b1f6205488533_arm64",
"product": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:ba8448e9496528b2effea0bb08354397d2ef6598d6004d6dcf9b1f6205488533_arm64",
"product_id": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:ba8448e9496528b2effea0bb08354397d2ef6598d6004d6dcf9b1f6205488533_arm64",
"product_identification_helper": {
"purl": "pkg:oci/openshift-builds-shared-resource-webhook-rhel9@sha256%3Aba8448e9496528b2effea0bb08354397d2ef6598d6004d6dcf9b1f6205488533?arch=arm64\u0026repository_url=registry.redhat.io/openshift-builds\u0026tag=1.4.1-1751884061"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:8deb57a0cecea893345898439b7e429ea63ae6d3cb7b1a3c8f8cbaeba4f8b173_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:8deb57a0cecea893345898439b7e429ea63ae6d3cb7b1a3c8f8cbaeba4f8b173_ppc64le",
"product_id": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:8deb57a0cecea893345898439b7e429ea63ae6d3cb7b1a3c8f8cbaeba4f8b173_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/openshift-builds-rhel9-operator@sha256%3A8deb57a0cecea893345898439b7e429ea63ae6d3cb7b1a3c8f8cbaeba4f8b173?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-builds\u0026tag=1.4.1-1751964359"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:ffcd67bd8421a61c271f84abbfcc3e49b48f2e2084f04e30f497f16b02577383_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:ffcd67bd8421a61c271f84abbfcc3e49b48f2e2084f04e30f497f16b02577383_ppc64le",
"product_id": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:ffcd67bd8421a61c271f84abbfcc3e49b48f2e2084f04e30f497f16b02577383_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/openshift-builds-shared-resource-rhel9@sha256%3Affcd67bd8421a61c271f84abbfcc3e49b48f2e2084f04e30f497f16b02577383?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-builds\u0026tag=1.4.1-1751884063"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:6415c4e9af5ba7221a9fecef531c295079744d5a4c36910ee4d3a34868e3f4b5_ppc64le",
"product": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:6415c4e9af5ba7221a9fecef531c295079744d5a4c36910ee4d3a34868e3f4b5_ppc64le",
"product_id": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:6415c4e9af5ba7221a9fecef531c295079744d5a4c36910ee4d3a34868e3f4b5_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/openshift-builds-shared-resource-webhook-rhel9@sha256%3A6415c4e9af5ba7221a9fecef531c295079744d5a4c36910ee4d3a34868e3f4b5?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-builds\u0026tag=1.4.1-1751884061"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:62336301b8aa91c76d722ff14b392781722d601edf952987e65536ef263e20f2_s390x",
"product": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:62336301b8aa91c76d722ff14b392781722d601edf952987e65536ef263e20f2_s390x",
"product_id": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:62336301b8aa91c76d722ff14b392781722d601edf952987e65536ef263e20f2_s390x",
"product_identification_helper": {
"purl": "pkg:oci/openshift-builds-rhel9-operator@sha256%3A62336301b8aa91c76d722ff14b392781722d601edf952987e65536ef263e20f2?arch=s390x\u0026repository_url=registry.redhat.io/openshift-builds\u0026tag=1.4.1-1751964359"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:dfb452f8cabd785196c74eac3caeeb0b302ea84a851f6efa36165cd6b44dcd6a_s390x",
"product": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:dfb452f8cabd785196c74eac3caeeb0b302ea84a851f6efa36165cd6b44dcd6a_s390x",
"product_id": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:dfb452f8cabd785196c74eac3caeeb0b302ea84a851f6efa36165cd6b44dcd6a_s390x",
"product_identification_helper": {
"purl": "pkg:oci/openshift-builds-shared-resource-rhel9@sha256%3Adfb452f8cabd785196c74eac3caeeb0b302ea84a851f6efa36165cd6b44dcd6a?arch=s390x\u0026repository_url=registry.redhat.io/openshift-builds\u0026tag=1.4.1-1751884063"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:a6937042cb5b024a49298517c159a25c520eb9fafa54219a6b375d3ad906e3f3_s390x",
"product": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:a6937042cb5b024a49298517c159a25c520eb9fafa54219a6b375d3ad906e3f3_s390x",
"product_id": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:a6937042cb5b024a49298517c159a25c520eb9fafa54219a6b375d3ad906e3f3_s390x",
"product_identification_helper": {
"purl": "pkg:oci/openshift-builds-shared-resource-webhook-rhel9@sha256%3Aa6937042cb5b024a49298517c159a25c520eb9fafa54219a6b375d3ad906e3f3?arch=s390x\u0026repository_url=registry.redhat.io/openshift-builds\u0026tag=1.4.1-1751884061"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-operator-bundle@sha256:3b93fb221cc377efc4a601a3ce553ec2cda31721392fe863b270dc6691c6bf1e_amd64 as a component of Builds for Red Hat OpenShift 1.4.1",
"product_id": "Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-operator-bundle@sha256:3b93fb221cc377efc4a601a3ce553ec2cda31721392fe863b270dc6691c6bf1e_amd64"
},
"product_reference": "registry.redhat.io/openshift-builds/openshift-builds-operator-bundle@sha256:3b93fb221cc377efc4a601a3ce553ec2cda31721392fe863b270dc6691c6bf1e_amd64",
"relates_to_product_reference": "Builds for Red Hat OpenShift 1.4.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:59e5c28c3de79b282937d2b373adedae5365b6afd433c3d5642817776dc4b8d9_arm64 as a component of Builds for Red Hat OpenShift 1.4.1",
"product_id": "Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:59e5c28c3de79b282937d2b373adedae5365b6afd433c3d5642817776dc4b8d9_arm64"
},
"product_reference": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:59e5c28c3de79b282937d2b373adedae5365b6afd433c3d5642817776dc4b8d9_arm64",
"relates_to_product_reference": "Builds for Red Hat OpenShift 1.4.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:62336301b8aa91c76d722ff14b392781722d601edf952987e65536ef263e20f2_s390x as a component of Builds for Red Hat OpenShift 1.4.1",
"product_id": "Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:62336301b8aa91c76d722ff14b392781722d601edf952987e65536ef263e20f2_s390x"
},
"product_reference": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:62336301b8aa91c76d722ff14b392781722d601edf952987e65536ef263e20f2_s390x",
"relates_to_product_reference": "Builds for Red Hat OpenShift 1.4.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:8deb57a0cecea893345898439b7e429ea63ae6d3cb7b1a3c8f8cbaeba4f8b173_ppc64le as a component of Builds for Red Hat OpenShift 1.4.1",
"product_id": "Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:8deb57a0cecea893345898439b7e429ea63ae6d3cb7b1a3c8f8cbaeba4f8b173_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:8deb57a0cecea893345898439b7e429ea63ae6d3cb7b1a3c8f8cbaeba4f8b173_ppc64le",
"relates_to_product_reference": "Builds for Red Hat OpenShift 1.4.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:9f07560b4dc919605d7271a2fda9d15c24dd022d2726c0268e7042935df208af_amd64 as a component of Builds for Red Hat OpenShift 1.4.1",
"product_id": "Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:9f07560b4dc919605d7271a2fda9d15c24dd022d2726c0268e7042935df208af_amd64"
},
"product_reference": "registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:9f07560b4dc919605d7271a2fda9d15c24dd022d2726c0268e7042935df208af_amd64",
"relates_to_product_reference": "Builds for Red Hat OpenShift 1.4.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:427f633ade9e76cb30c23e77ef39eb9a566a2ab20b60e63fa6b6889635ac48d7_arm64 as a component of Builds for Red Hat OpenShift 1.4.1",
"product_id": "Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:427f633ade9e76cb30c23e77ef39eb9a566a2ab20b60e63fa6b6889635ac48d7_arm64"
},
"product_reference": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:427f633ade9e76cb30c23e77ef39eb9a566a2ab20b60e63fa6b6889635ac48d7_arm64",
"relates_to_product_reference": "Builds for Red Hat OpenShift 1.4.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:dfb452f8cabd785196c74eac3caeeb0b302ea84a851f6efa36165cd6b44dcd6a_s390x as a component of Builds for Red Hat OpenShift 1.4.1",
"product_id": "Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:dfb452f8cabd785196c74eac3caeeb0b302ea84a851f6efa36165cd6b44dcd6a_s390x"
},
"product_reference": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:dfb452f8cabd785196c74eac3caeeb0b302ea84a851f6efa36165cd6b44dcd6a_s390x",
"relates_to_product_reference": "Builds for Red Hat OpenShift 1.4.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:f3e47ce04990e4cac429c8b70f9ec37ec331a7414d1aa5b57224507e7eb664df_amd64 as a component of Builds for Red Hat OpenShift 1.4.1",
"product_id": "Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:f3e47ce04990e4cac429c8b70f9ec37ec331a7414d1aa5b57224507e7eb664df_amd64"
},
"product_reference": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:f3e47ce04990e4cac429c8b70f9ec37ec331a7414d1aa5b57224507e7eb664df_amd64",
"relates_to_product_reference": "Builds for Red Hat OpenShift 1.4.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:ffcd67bd8421a61c271f84abbfcc3e49b48f2e2084f04e30f497f16b02577383_ppc64le as a component of Builds for Red Hat OpenShift 1.4.1",
"product_id": "Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:ffcd67bd8421a61c271f84abbfcc3e49b48f2e2084f04e30f497f16b02577383_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:ffcd67bd8421a61c271f84abbfcc3e49b48f2e2084f04e30f497f16b02577383_ppc64le",
"relates_to_product_reference": "Builds for Red Hat OpenShift 1.4.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:308b1fac2a46c02df4269dce9556b51c4486834dc860e2c4f286b2c7779e17eb_amd64 as a component of Builds for Red Hat OpenShift 1.4.1",
"product_id": "Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:308b1fac2a46c02df4269dce9556b51c4486834dc860e2c4f286b2c7779e17eb_amd64"
},
"product_reference": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:308b1fac2a46c02df4269dce9556b51c4486834dc860e2c4f286b2c7779e17eb_amd64",
"relates_to_product_reference": "Builds for Red Hat OpenShift 1.4.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:6415c4e9af5ba7221a9fecef531c295079744d5a4c36910ee4d3a34868e3f4b5_ppc64le as a component of Builds for Red Hat OpenShift 1.4.1",
"product_id": "Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:6415c4e9af5ba7221a9fecef531c295079744d5a4c36910ee4d3a34868e3f4b5_ppc64le"
},
"product_reference": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:6415c4e9af5ba7221a9fecef531c295079744d5a4c36910ee4d3a34868e3f4b5_ppc64le",
"relates_to_product_reference": "Builds for Red Hat OpenShift 1.4.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:a6937042cb5b024a49298517c159a25c520eb9fafa54219a6b375d3ad906e3f3_s390x as a component of Builds for Red Hat OpenShift 1.4.1",
"product_id": "Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:a6937042cb5b024a49298517c159a25c520eb9fafa54219a6b375d3ad906e3f3_s390x"
},
"product_reference": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:a6937042cb5b024a49298517c159a25c520eb9fafa54219a6b375d3ad906e3f3_s390x",
"relates_to_product_reference": "Builds for Red Hat OpenShift 1.4.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:ba8448e9496528b2effea0bb08354397d2ef6598d6004d6dcf9b1f6205488533_arm64 as a component of Builds for Red Hat OpenShift 1.4.1",
"product_id": "Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:ba8448e9496528b2effea0bb08354397d2ef6598d6004d6dcf9b1f6205488533_arm64"
},
"product_reference": "registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:ba8448e9496528b2effea0bb08354397d2ef6598d6004d6dcf9b1f6205488533_arm64",
"relates_to_product_reference": "Builds for Red Hat OpenShift 1.4.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47273",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-05-17T16:00:41.145177+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-operator-bundle@sha256:3b93fb221cc377efc4a601a3ce553ec2cda31721392fe863b270dc6691c6bf1e_amd64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:59e5c28c3de79b282937d2b373adedae5365b6afd433c3d5642817776dc4b8d9_arm64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:62336301b8aa91c76d722ff14b392781722d601edf952987e65536ef263e20f2_s390x",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:8deb57a0cecea893345898439b7e429ea63ae6d3cb7b1a3c8f8cbaeba4f8b173_ppc64le",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:9f07560b4dc919605d7271a2fda9d15c24dd022d2726c0268e7042935df208af_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2366982"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability in the Python setuptools library allows attackers with limited system access to write files outside the intended temporary directory by manipulating package download URLs. This flaw bypasses basic filename sanitization and can lead to unauthorized overwrites of important system files, creating opportunities for further compromise. While it doesn\u0027t expose data or require user interaction, it poses a high integrity risk and is especially concerning in environments that rely on automated package handling or internal tooling built on setuptools.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "setuptools: Path Traversal Vulnerability in setuptools PackageIndex",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Product Security has rated this vulnerability \"Moderate\" based on the impact of the damage caused by a successful exploitation and the pre-requisites.\n\n* Exploitation requires that the attacker have limited code execution access to a Python environment where they can trigger the vulnerable PackageIndex.download() function\u2014this might be via a script, plugin, or automated job. Full admin rights aren\u0027t needed but a user with no access at all will be unable to exploit this vulnerability.\n* The vulnerability impacts the integrity of the system within the same security boundary\u2014it does not enable access or compromise across trust boundaries (e.g., from one container to another or from user space to kernel).\n* Successful exploitation only allows the attacker to \"create\" new files. The vulnerability does not provide access to existing files and by an extension to any confidential information. \n* Arbitrary file writes can overwrite critical config files, executables, or scripts. This can lead to persistent code execution, system misconfiguration, or unauthorized behavior, especially in automated environments. While overwriting critical files could theoretically lead to service disruption, the vulnerability in isolation does not inherently cause denial of service. The exploit doesn\u0027t target availability directly, and in many cases, systems may continue running.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:427f633ade9e76cb30c23e77ef39eb9a566a2ab20b60e63fa6b6889635ac48d7_arm64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:dfb452f8cabd785196c74eac3caeeb0b302ea84a851f6efa36165cd6b44dcd6a_s390x",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:f3e47ce04990e4cac429c8b70f9ec37ec331a7414d1aa5b57224507e7eb664df_amd64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:ffcd67bd8421a61c271f84abbfcc3e49b48f2e2084f04e30f497f16b02577383_ppc64le",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:308b1fac2a46c02df4269dce9556b51c4486834dc860e2c4f286b2c7779e17eb_amd64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:6415c4e9af5ba7221a9fecef531c295079744d5a4c36910ee4d3a34868e3f4b5_ppc64le",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:a6937042cb5b024a49298517c159a25c520eb9fafa54219a6b375d3ad906e3f3_s390x",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:ba8448e9496528b2effea0bb08354397d2ef6598d6004d6dcf9b1f6205488533_arm64"
],
"known_not_affected": [
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-operator-bundle@sha256:3b93fb221cc377efc4a601a3ce553ec2cda31721392fe863b270dc6691c6bf1e_amd64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:59e5c28c3de79b282937d2b373adedae5365b6afd433c3d5642817776dc4b8d9_arm64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:62336301b8aa91c76d722ff14b392781722d601edf952987e65536ef263e20f2_s390x",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:8deb57a0cecea893345898439b7e429ea63ae6d3cb7b1a3c8f8cbaeba4f8b173_ppc64le",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:9f07560b4dc919605d7271a2fda9d15c24dd022d2726c0268e7042935df208af_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47273"
},
{
"category": "external",
"summary": "RHBZ#2366982",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366982"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47273",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47273"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47273",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47273"
},
{
"category": "external",
"summary": "https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88",
"url": "https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88"
},
{
"category": "external",
"summary": "https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b",
"url": "https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b"
},
{
"category": "external",
"summary": "https://github.com/pypa/setuptools/issues/4946",
"url": "https://github.com/pypa/setuptools/issues/4946"
},
{
"category": "external",
"summary": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf",
"url": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf"
}
],
"release_date": "2025-05-17T15:46:11.399000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-10T10:31:35+00:00",
"details": "It is recommended that existing users of Red Hat OpenShift Builds 1.3.z upgrades to to 1.4.1",
"product_ids": [
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:427f633ade9e76cb30c23e77ef39eb9a566a2ab20b60e63fa6b6889635ac48d7_arm64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:dfb452f8cabd785196c74eac3caeeb0b302ea84a851f6efa36165cd6b44dcd6a_s390x",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:f3e47ce04990e4cac429c8b70f9ec37ec331a7414d1aa5b57224507e7eb664df_amd64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:ffcd67bd8421a61c271f84abbfcc3e49b48f2e2084f04e30f497f16b02577383_ppc64le",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:308b1fac2a46c02df4269dce9556b51c4486834dc860e2c4f286b2c7779e17eb_amd64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:6415c4e9af5ba7221a9fecef531c295079744d5a4c36910ee4d3a34868e3f4b5_ppc64le",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:a6937042cb5b024a49298517c159a25c520eb9fafa54219a6b375d3ad906e3f3_s390x",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:ba8448e9496528b2effea0bb08354397d2ef6598d6004d6dcf9b1f6205488533_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10787"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-operator-bundle@sha256:3b93fb221cc377efc4a601a3ce553ec2cda31721392fe863b270dc6691c6bf1e_amd64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:59e5c28c3de79b282937d2b373adedae5365b6afd433c3d5642817776dc4b8d9_arm64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:62336301b8aa91c76d722ff14b392781722d601edf952987e65536ef263e20f2_s390x",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:8deb57a0cecea893345898439b7e429ea63ae6d3cb7b1a3c8f8cbaeba4f8b173_ppc64le",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:9f07560b4dc919605d7271a2fda9d15c24dd022d2726c0268e7042935df208af_amd64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:427f633ade9e76cb30c23e77ef39eb9a566a2ab20b60e63fa6b6889635ac48d7_arm64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:dfb452f8cabd785196c74eac3caeeb0b302ea84a851f6efa36165cd6b44dcd6a_s390x",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:f3e47ce04990e4cac429c8b70f9ec37ec331a7414d1aa5b57224507e7eb664df_amd64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:ffcd67bd8421a61c271f84abbfcc3e49b48f2e2084f04e30f497f16b02577383_ppc64le",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:308b1fac2a46c02df4269dce9556b51c4486834dc860e2c4f286b2c7779e17eb_amd64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:6415c4e9af5ba7221a9fecef531c295079744d5a4c36910ee4d3a34868e3f4b5_ppc64le",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:a6937042cb5b024a49298517c159a25c520eb9fafa54219a6b375d3ad906e3f3_s390x",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:ba8448e9496528b2effea0bb08354397d2ef6598d6004d6dcf9b1f6205488533_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-operator-bundle@sha256:3b93fb221cc377efc4a601a3ce553ec2cda31721392fe863b270dc6691c6bf1e_amd64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:59e5c28c3de79b282937d2b373adedae5365b6afd433c3d5642817776dc4b8d9_arm64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:62336301b8aa91c76d722ff14b392781722d601edf952987e65536ef263e20f2_s390x",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:8deb57a0cecea893345898439b7e429ea63ae6d3cb7b1a3c8f8cbaeba4f8b173_ppc64le",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-rhel9-operator@sha256:9f07560b4dc919605d7271a2fda9d15c24dd022d2726c0268e7042935df208af_amd64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:427f633ade9e76cb30c23e77ef39eb9a566a2ab20b60e63fa6b6889635ac48d7_arm64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:dfb452f8cabd785196c74eac3caeeb0b302ea84a851f6efa36165cd6b44dcd6a_s390x",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:f3e47ce04990e4cac429c8b70f9ec37ec331a7414d1aa5b57224507e7eb664df_amd64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-rhel9@sha256:ffcd67bd8421a61c271f84abbfcc3e49b48f2e2084f04e30f497f16b02577383_ppc64le",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:308b1fac2a46c02df4269dce9556b51c4486834dc860e2c4f286b2c7779e17eb_amd64",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:6415c4e9af5ba7221a9fecef531c295079744d5a4c36910ee4d3a34868e3f4b5_ppc64le",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:a6937042cb5b024a49298517c159a25c520eb9fafa54219a6b375d3ad906e3f3_s390x",
"Builds for Red Hat OpenShift 1.4.1:registry.redhat.io/openshift-builds/openshift-builds-shared-resource-webhook-rhel9@sha256:ba8448e9496528b2effea0bb08354397d2ef6598d6004d6dcf9b1f6205488533_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "setuptools: Path Traversal Vulnerability in setuptools PackageIndex"
}
]
}
RHSA-2025:10809
Vulnerability from csaf_redhat - Published: 2025-07-10 14:18 - Updated: 2026-03-10 16:02Summary
Red Hat Security Advisory: satellite/iop-advisor-engine-rhel9 container image available as a Technology Preview
Severity
Moderate
Notes
Topic: A new satellite/iop-advisor-engine-rhel9 container image is now available as a Technology Preview in the Red Hat container registry.
Details: This adds the satellite/iop-advisor-engine-rhel9 image to the Red Hat container registry. To pull this container image, run the following command: podman pull registry.redhat.io/satellite/iop-advisor-engine-rhel9
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path traversal vulnerability in the Python setuptools library allows attackers with limited system access to write files outside the intended temporary directory by manipulating package download URLs. This flaw bypasses basic filename sanitization and can lead to unauthorized overwrites of important system files, creating opportunities for further compromise. While it doesn't expose data or require user interaction, it poses a high integrity risk and is especially concerning in environments that rely on automated package handling or internal tooling built on setuptools.
7.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Satellite 6.17:registry.redhat.io/satellite/iop-advisor-engine-rhel9@sha256:27eaac9b93113fd78a8932d112d9d37b940e337207df25f03ead05fffcf6be55_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
13 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2025:10809 | self |
| https://access.redhat.com/security/cve/CVE-2025-47273 | external |
| https://access.redhat.com/security/updates/classi… | external |
| https://catalog.redhat.com/software/containers/search | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2025-47273 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2366982 | external |
| https://www.cve.org/CVERecord?id=CVE-2025-47273 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2025-47273 | external |
| https://github.com/pypa/setuptools/blob/6ead555c5… | external |
| https://github.com/pypa/setuptools/commit/250a6d1… | external |
| https://github.com/pypa/setuptools/issues/4946 | external |
| https://github.com/pypa/setuptools/security/advis… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A new satellite/iop-advisor-engine-rhel9 container image is now available as a Technology Preview in the Red Hat container registry.",
"title": "Topic"
},
{
"category": "general",
"text": "This adds the satellite/iop-advisor-engine-rhel9 image to the Red Hat container registry. To pull this container image, run the following command: podman pull registry.redhat.io/satellite/iop-advisor-engine-rhel9",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:10809",
"url": "https://access.redhat.com/errata/RHSA-2025:10809"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-47273",
"url": "https://access.redhat.com/security/cve/CVE-2025-47273"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://catalog.redhat.com/software/containers/search",
"url": "https://catalog.redhat.com/software/containers/search"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10809.json"
}
],
"title": "Red Hat Security Advisory: satellite/iop-advisor-engine-rhel9 container image available as a Technology Preview",
"tracking": {
"current_release_date": "2026-03-10T16:02:10+00:00",
"generator": {
"date": "2026-03-10T16:02:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.2"
}
},
"id": "RHSA-2025:10809",
"initial_release_date": "2025-07-10T14:18:19+00:00",
"revision_history": [
{
"date": "2025-07-10T14:18:19+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-07-10T14:18:21+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-03-10T16:02:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Satellite 6.17",
"product": {
"name": "Red Hat Satellite 6.17",
"product_id": "Red Hat Satellite 6.17",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:satellite:6.17::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Satellite"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/satellite/iop-advisor-engine-rhel9@sha256:27eaac9b93113fd78a8932d112d9d37b940e337207df25f03ead05fffcf6be55_amd64",
"product": {
"name": "registry.redhat.io/satellite/iop-advisor-engine-rhel9@sha256:27eaac9b93113fd78a8932d112d9d37b940e337207df25f03ead05fffcf6be55_amd64",
"product_id": "registry.redhat.io/satellite/iop-advisor-engine-rhel9@sha256:27eaac9b93113fd78a8932d112d9d37b940e337207df25f03ead05fffcf6be55_amd64",
"product_identification_helper": {
"purl": "pkg:oci/iop-advisor-engine-rhel9@sha256%3A27eaac9b93113fd78a8932d112d9d37b940e337207df25f03ead05fffcf6be55?arch=amd64\u0026repository_url=registry.redhat.io/satellite"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/satellite/iop-advisor-engine-rhel9@sha256:27eaac9b93113fd78a8932d112d9d37b940e337207df25f03ead05fffcf6be55_amd64 as a component of Red Hat Satellite 6.17",
"product_id": "Red Hat Satellite 6.17:registry.redhat.io/satellite/iop-advisor-engine-rhel9@sha256:27eaac9b93113fd78a8932d112d9d37b940e337207df25f03ead05fffcf6be55_amd64"
},
"product_reference": "registry.redhat.io/satellite/iop-advisor-engine-rhel9@sha256:27eaac9b93113fd78a8932d112d9d37b940e337207df25f03ead05fffcf6be55_amd64",
"relates_to_product_reference": "Red Hat Satellite 6.17"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47273",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-05-17T16:00:41.145177+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2366982"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability in the Python setuptools library allows attackers with limited system access to write files outside the intended temporary directory by manipulating package download URLs. This flaw bypasses basic filename sanitization and can lead to unauthorized overwrites of important system files, creating opportunities for further compromise. While it doesn\u0027t expose data or require user interaction, it poses a high integrity risk and is especially concerning in environments that rely on automated package handling or internal tooling built on setuptools.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "setuptools: Path Traversal Vulnerability in setuptools PackageIndex",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Product Security has rated this vulnerability \"Moderate\" based on the impact of the damage caused by a successful exploitation and the pre-requisites.\n\n* Exploitation requires that the attacker have limited code execution access to a Python environment where they can trigger the vulnerable PackageIndex.download() function\u2014this might be via a script, plugin, or automated job. Full admin rights aren\u0027t needed but a user with no access at all will be unable to exploit this vulnerability.\n* The vulnerability impacts the integrity of the system within the same security boundary\u2014it does not enable access or compromise across trust boundaries (e.g., from one container to another or from user space to kernel).\n* Successful exploitation only allows the attacker to \"create\" new files. The vulnerability does not provide access to existing files and by an extension to any confidential information. \n* Arbitrary file writes can overwrite critical config files, executables, or scripts. This can lead to persistent code execution, system misconfiguration, or unauthorized behavior, especially in automated environments. While overwriting critical files could theoretically lead to service disruption, the vulnerability in isolation does not inherently cause denial of service. The exploit doesn\u0027t target availability directly, and in many cases, systems may continue running.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Satellite 6.17:registry.redhat.io/satellite/iop-advisor-engine-rhel9@sha256:27eaac9b93113fd78a8932d112d9d37b940e337207df25f03ead05fffcf6be55_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47273"
},
{
"category": "external",
"summary": "RHBZ#2366982",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366982"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47273",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47273"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47273",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47273"
},
{
"category": "external",
"summary": "https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88",
"url": "https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88"
},
{
"category": "external",
"summary": "https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b",
"url": "https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b"
},
{
"category": "external",
"summary": "https://github.com/pypa/setuptools/issues/4946",
"url": "https://github.com/pypa/setuptools/issues/4946"
},
{
"category": "external",
"summary": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf",
"url": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf"
}
],
"release_date": "2025-05-17T15:46:11.399000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-10T14:18:19+00:00",
"details": "The container image provided by this update can be downloaded from the Red Hat container registry at registry.redhat.io using the \"podman pull\" command. For more information about the image, search the \u003cimage_name\u003e in the Red Hat Ecosystem Catalog: https://catalog.redhat.com/software/containers/search.",
"product_ids": [
"Red Hat Satellite 6.17:registry.redhat.io/satellite/iop-advisor-engine-rhel9@sha256:27eaac9b93113fd78a8932d112d9d37b940e337207df25f03ead05fffcf6be55_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10809"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Satellite 6.17:registry.redhat.io/satellite/iop-advisor-engine-rhel9@sha256:27eaac9b93113fd78a8932d112d9d37b940e337207df25f03ead05fffcf6be55_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat Satellite 6.17:registry.redhat.io/satellite/iop-advisor-engine-rhel9@sha256:27eaac9b93113fd78a8932d112d9d37b940e337207df25f03ead05fffcf6be55_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "setuptools: Path Traversal Vulnerability in setuptools PackageIndex"
}
]
}
RHSA-2025:10992
Vulnerability from csaf_redhat - Published: 2025-07-14 19:46 - Updated: 2026-05-12 11:14Summary
Red Hat Security Advisory: Red Hat Developer Hub 1.5.3 release.
Severity
Important
Notes
Topic: Red Hat Developer Hub 1.5.3 has been released.
Details: Red Hat Developer Hub (RHDH) is Red Hat's enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A path traversal vulnerability in the Python setuptools library allows attackers with limited system access to write files outside the intended temporary directory by manipulating package download URLs. This flaw bypasses basic filename sanitization and can lead to unauthorized overwrites of important system files, creating opportunities for further compromise. While it doesn't expose data or require user interaction, it poses a high integrity risk and is especially concerning in environments that rely on automated package handling or internal tooling built on setuptools.
7.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:5a19032dda9a0f584b41cbe9e729ed23e6003d90ebbb026eb9e7bb9769d4a4e4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:46c6d246831d26833d5381afd555f36bb52a8cb02fc025c06042983021c20222_amd64 | — |
Workaround
|
Threats
Impact
Moderate
A flaw was found in tar-fs. This vulnerability allows files to be written outside the intended extraction directory via specially crafted tar archives. The issue arises from insufficient path validation during tarball extraction, potentially enabling path traversal attacks that can overwrite arbitrary files on the system.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c_amd64 | — |
Vendor Fix
fix
Workaround
|
Known not affected
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:5a19032dda9a0f584b41cbe9e729ed23e6003d90ebbb026eb9e7bb9769d4a4e4_amd64 | — |
Workaround
|
|
| Unresolved product id: Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:46c6d246831d26833d5381afd555f36bb52a8cb02fc025c06042983021c20222_amd64 | — |
Workaround
|
Threats
Impact
Important
References
24 references
| URL | Category |
|---|---|
| https://access.redhat.com/errata/RHSA-2025:10992 | self |
| https://access.redhat.com/security/cve/CVE-2025-47273 | external |
| https://access.redhat.com/security/cve/CVE-2025-48387 | external |
| https://access.redhat.com/security/updates/classi… | external |
| https://catalog.redhat.com/search?gs&searchType=c… | external |
| https://developers.redhat.com/rhdh/overview | external |
| https://docs.redhat.com/en/documentation/red_hat_… | external |
| https://issues.redhat.com/browse/RHIDP-7702 | external |
| https://issues.redhat.com/browse/RHIDP-7793 | external |
| https://security.access.redhat.com/data/csaf/v2/a… | self |
| https://access.redhat.com/security/cve/CVE-2025-47273 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2366982 | external |
| https://www.cve.org/CVERecord?id=CVE-2025-47273 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2025-47273 | external |
| https://github.com/pypa/setuptools/blob/6ead555c5… | external |
| https://github.com/pypa/setuptools/commit/250a6d1… | external |
| https://github.com/pypa/setuptools/issues/4946 | external |
| https://github.com/pypa/setuptools/security/advis… | external |
| https://access.redhat.com/security/cve/CVE-2025-48387 | self |
| https://bugzilla.redhat.com/show_bug.cgi?id=2369875 | external |
| https://www.cve.org/CVERecord?id=CVE-2025-48387 | external |
| https://nvd.nist.gov/vuln/detail/CVE-2025-48387 | external |
| https://github.com/mafintosh/tar-fs/commit/647447… | external |
| https://github.com/mafintosh/tar-fs/security/advi… | external |
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Red Hat Developer Hub 1.5.3 has been released.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Developer Hub (RHDH) is Red Hat\u0027s enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters (AKS, EKS, GKE). The core features of RHDH include a single pane of glass, a centralized software catalog, self-service via golden path templates, and Tech Docs. RHDH is extensible by plugins.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2025:10992",
"url": "https://access.redhat.com/errata/RHSA-2025:10992"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-47273",
"url": "https://access.redhat.com/security/cve/CVE-2025-47273"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-48387",
"url": "https://access.redhat.com/security/cve/CVE-2025-48387"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh",
"url": "https://catalog.redhat.com/search?gs\u0026searchType=containers\u0026q=rhdh"
},
{
"category": "external",
"summary": "https://developers.redhat.com/rhdh/overview",
"url": "https://developers.redhat.com/rhdh/overview"
},
{
"category": "external",
"summary": "https://docs.redhat.com/en/documentation/red_hat_developer_hub",
"url": "https://docs.redhat.com/en/documentation/red_hat_developer_hub"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHIDP-7702",
"url": "https://issues.redhat.com/browse/RHIDP-7702"
},
{
"category": "external",
"summary": "https://issues.redhat.com/browse/RHIDP-7793",
"url": "https://issues.redhat.com/browse/RHIDP-7793"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_10992.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Developer Hub 1.5.3 release.",
"tracking": {
"current_release_date": "2026-05-12T11:14:42+00:00",
"generator": {
"date": "2026-05-12T11:14:42+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.9"
}
},
"id": "RHSA-2025:10992",
"initial_release_date": "2025-07-14T19:46:35+00:00",
"revision_history": [
{
"date": "2025-07-14T19:46:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2025-07-14T19:46:44+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-12T11:14:42+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Developer Hub 1.5",
"product": {
"name": "Red Hat Developer Hub 1.5",
"product_id": "Red Hat Developer Hub 1.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhdh:1.5::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat Developer Hub"
},
{
"branches": [
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-hub-rhel9@sha256%3A1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.5.3-1752159545"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:46c6d246831d26833d5381afd555f36bb52a8cb02fc025c06042983021c20222_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:46c6d246831d26833d5381afd555f36bb52a8cb02fc025c06042983021c20222_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:46c6d246831d26833d5381afd555f36bb52a8cb02fc025c06042983021c20222_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-rhel9-operator@sha256%3A46c6d246831d26833d5381afd555f36bb52a8cb02fc025c06042983021c20222?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.5.3-1752159639"
}
}
},
{
"category": "product_version",
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:5a19032dda9a0f584b41cbe9e729ed23e6003d90ebbb026eb9e7bb9769d4a4e4_amd64",
"product": {
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:5a19032dda9a0f584b41cbe9e729ed23e6003d90ebbb026eb9e7bb9769d4a4e4_amd64",
"product_id": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:5a19032dda9a0f584b41cbe9e729ed23e6003d90ebbb026eb9e7bb9769d4a4e4_amd64",
"product_identification_helper": {
"purl": "pkg:oci/rhdh-operator-bundle@sha256%3A5a19032dda9a0f584b41cbe9e729ed23e6003d90ebbb026eb9e7bb9769d4a4e4?arch=amd64\u0026repository_url=registry.redhat.io/rhdh\u0026tag=1.5.3-1752166658"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c_amd64 as a component of Red Hat Developer Hub 1.5",
"product_id": "Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:5a19032dda9a0f584b41cbe9e729ed23e6003d90ebbb026eb9e7bb9769d4a4e4_amd64 as a component of Red Hat Developer Hub 1.5",
"product_id": "Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:5a19032dda9a0f584b41cbe9e729ed23e6003d90ebbb026eb9e7bb9769d4a4e4_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:5a19032dda9a0f584b41cbe9e729ed23e6003d90ebbb026eb9e7bb9769d4a4e4_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:46c6d246831d26833d5381afd555f36bb52a8cb02fc025c06042983021c20222_amd64 as a component of Red Hat Developer Hub 1.5",
"product_id": "Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:46c6d246831d26833d5381afd555f36bb52a8cb02fc025c06042983021c20222_amd64"
},
"product_reference": "registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:46c6d246831d26833d5381afd555f36bb52a8cb02fc025c06042983021c20222_amd64",
"relates_to_product_reference": "Red Hat Developer Hub 1.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-47273",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-05-17T16:00:41.145177+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:5a19032dda9a0f584b41cbe9e729ed23e6003d90ebbb026eb9e7bb9769d4a4e4_amd64",
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:46c6d246831d26833d5381afd555f36bb52a8cb02fc025c06042983021c20222_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2366982"
}
],
"notes": [
{
"category": "description",
"text": "A path traversal vulnerability in the Python setuptools library allows attackers with limited system access to write files outside the intended temporary directory by manipulating package download URLs. This flaw bypasses basic filename sanitization and can lead to unauthorized overwrites of important system files, creating opportunities for further compromise. While it doesn\u0027t expose data or require user interaction, it poses a high integrity risk and is especially concerning in environments that rely on automated package handling or internal tooling built on setuptools.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "setuptools: Path Traversal Vulnerability in setuptools PackageIndex",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Product Security has rated this vulnerability \"Moderate\" based on the impact of the damage caused by a successful exploitation and the pre-requisites.\n\n* Exploitation requires that the attacker have limited code execution access to a Python environment where they can trigger the vulnerable PackageIndex.download() function\u2014this might be via a script, plugin, or automated job. Full admin rights aren\u0027t needed but a user with no access at all will be unable to exploit this vulnerability.\n* The vulnerability impacts the integrity of the system within the same security boundary\u2014it does not enable access or compromise across trust boundaries (e.g., from one container to another or from user space to kernel).\n* Successful exploitation only allows the attacker to \"create\" new files. The vulnerability does not provide access to existing files and by an extension to any confidential information. \n* Arbitrary file writes can overwrite critical config files, executables, or scripts. This can lead to persistent code execution, system misconfiguration, or unauthorized behavior, especially in automated environments. While overwriting critical files could theoretically lead to service disruption, the vulnerability in isolation does not inherently cause denial of service. The exploit doesn\u0027t target availability directly, and in many cases, systems may continue running.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:5a19032dda9a0f584b41cbe9e729ed23e6003d90ebbb026eb9e7bb9769d4a4e4_amd64",
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:46c6d246831d26833d5381afd555f36bb52a8cb02fc025c06042983021c20222_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-47273"
},
{
"category": "external",
"summary": "RHBZ#2366982",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366982"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-47273",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-47273"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-47273",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47273"
},
{
"category": "external",
"summary": "https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88",
"url": "https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88"
},
{
"category": "external",
"summary": "https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b",
"url": "https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b"
},
{
"category": "external",
"summary": "https://github.com/pypa/setuptools/issues/4946",
"url": "https://github.com/pypa/setuptools/issues/4946"
},
{
"category": "external",
"summary": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf",
"url": "https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf"
}
],
"release_date": "2025-05-17T15:46:11.399000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-14T19:46:35+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10992"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c_amd64",
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:5a19032dda9a0f584b41cbe9e729ed23e6003d90ebbb026eb9e7bb9769d4a4e4_amd64",
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:46c6d246831d26833d5381afd555f36bb52a8cb02fc025c06042983021c20222_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c_amd64",
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:5a19032dda9a0f584b41cbe9e729ed23e6003d90ebbb026eb9e7bb9769d4a4e4_amd64",
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:46c6d246831d26833d5381afd555f36bb52a8cb02fc025c06042983021c20222_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "setuptools: Path Traversal Vulnerability in setuptools PackageIndex"
},
{
"cve": "CVE-2025-48387",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2025-06-02T20:00:45.526571+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:5a19032dda9a0f584b41cbe9e729ed23e6003d90ebbb026eb9e7bb9769d4a4e4_amd64",
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:46c6d246831d26833d5381afd555f36bb52a8cb02fc025c06042983021c20222_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2369875"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in tar-fs. This vulnerability allows files to be written outside the intended extraction directory via specially crafted tar archives. The issue arises from insufficient path validation during tarball extraction, potentially enabling path traversal attacks that can overwrite arbitrary files on the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in tar-fs is Important not a moderate flaw, primarily due to its ability to bypass directory confinement during tarball extraction. The core issue\u2014path traversal via crafted archive entries\u2014allows attackers to write files outside the intended extraction directory, potentially overwriting system files, configuration files, or injecting malicious scripts into sensitive locations. Unlike moderate flaws that may require specific conditions or user interaction to exploit, this vulnerability can be triggered automatically in server-side environments that extract user-supplied tar files (e.g., CI/CD systems, deployment tools, or file upload handlers). Its exploitation could lead to remote code execution, privilege escalation, or denial of service, depending on the context.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c_amd64"
],
"known_not_affected": [
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:5a19032dda9a0f584b41cbe9e729ed23e6003d90ebbb026eb9e7bb9769d4a4e4_amd64",
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:46c6d246831d26833d5381afd555f36bb52a8cb02fc025c06042983021c20222_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-48387"
},
{
"category": "external",
"summary": "RHBZ#2369875",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2369875"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-48387",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48387"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-48387",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48387"
},
{
"category": "external",
"summary": "https://github.com/mafintosh/tar-fs/commit/647447b572bc135c41035e82ca7b894f02b17f0f",
"url": "https://github.com/mafintosh/tar-fs/commit/647447b572bc135c41035e82ca7b894f02b17f0f"
},
{
"category": "external",
"summary": "https://github.com/mafintosh/tar-fs/security/advisories/GHSA-8cj5-5rvv-wf4v",
"url": "https://github.com/mafintosh/tar-fs/security/advisories/GHSA-8cj5-5rvv-wf4v"
}
],
"release_date": "2025-06-02T19:20:18.220000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2025-07-14T19:46:35+00:00",
"details": "For more about Red Hat Developer Hub, see References links",
"product_ids": [
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2025:10992"
},
{
"category": "workaround",
"details": "Mitigation is either unavailable or does not meet Red Hat Product Security standards for usability, deployment, applicability, or stability.",
"product_ids": [
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c_amd64",
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:5a19032dda9a0f584b41cbe9e729ed23e6003d90ebbb026eb9e7bb9769d4a4e4_amd64",
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:46c6d246831d26833d5381afd555f36bb52a8cb02fc025c06042983021c20222_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"products": [
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-hub-rhel9@sha256:1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c_amd64",
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-operator-bundle@sha256:5a19032dda9a0f584b41cbe9e729ed23e6003d90ebbb026eb9e7bb9769d4a4e4_amd64",
"Red Hat Developer Hub 1.5:registry.redhat.io/rhdh/rhdh-rhel9-operator@sha256:46c6d246831d26833d5381afd555f36bb52a8cb02fc025c06042983021c20222_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tar-fs: tar-fs has issue where extract can write outside the specified dir with a specific tarball"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…