Bug 2366982 (CVE-2025-47273)
| Summary: | CVE-2025-47273 setuptools: Path Traversal Vulnerability in setuptools PackageIndex | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aasthana, abarbaro, adinn, adudiak, anpicker, anthomas, aprice, bbrownin, bdettelb, caswilli, cmah, crizzo, dfreiber, dhanak, dnakabaa, doconnor, drosa, drow, dsimansk, eglynn, ehelms, fzakkak, galder.zamarreno, ggainey, gkamathe, gtanzill, haoli, hasun, hkataria, hukhan, jajackso, jburrell, jbuscemi, jcammara, jcantril, jchui, jdobes, jfula, jhe, jjoyce, jkoehler, jmitchel, jneedle, jowilson, jsamir, jtanner, juwatts, jwong, kaycoth, kegrant, kgaikwad, kholdawa, kingland, koliveir, kshier, ktsao, kverlaen, lball, lcouzens, ljawale, lphiri, luizcosta, mabashia, matzew, mbabacek, mburns, mgarciac, mhulan, mnovotny, mprahl, mrunge, mskarbek, nboldt, ngough, nkathole, nmoumoul, nweather, nyancey, oezr, olubyans, omaciel, ometelka, orabin, osousa, pakotvan, pbraun, pcreech, periklis, pjindal, psrna, ptisnovs, rbobbitt, rchan, rojacob, sausingh, sbiarozk, sdawley, sgehwolf, shvarugh, simaishi, smallamp, smcdonal, stcannon, sthirugn, syedriko, teagle, tfister, thavo, tmalecek, tqvarnst, ttakamiy, veshanka, vimartin, vkrizan, vkumar, xdharmai, xiaoxwan, yguenane, zzhou |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A path traversal vulnerability in the Python setuptools library allows attackers with limited system access to write files outside the intended temporary directory by manipulating package download URLs. This flaw bypasses basic filename sanitization and can lead to unauthorized overwrites of important system files, creating opportunities for further compromise. While it doesn't expose data or require user interaction, it poses a high integrity risk and is especially concerning in environments that rely on automated package handling or internal tooling built on setuptools.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2372616, 2372617, 2367429, 2367430, 2372612, 2372613, 2372614, 2372615 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-05-17 16:01:04 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:9940 https://access.redhat.com/errata/RHSA-2025:9940 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:10407 https://access.redhat.com/errata/RHSA-2025:10407 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:11043 https://access.redhat.com/errata/RHSA-2025:11043 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:11036 https://access.redhat.com/errata/RHSA-2025:11036 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:11044 https://access.redhat.com/errata/RHSA-2025:11044 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:11102 https://access.redhat.com/errata/RHSA-2025:11102 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2025:11101 https://access.redhat.com/errata/RHSA-2025:11101 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Via RHSA-2025:11426 https://access.redhat.com/errata/RHSA-2025:11426 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2025:11425 https://access.redhat.com/errata/RHSA-2025:11425 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2025:11427 https://access.redhat.com/errata/RHSA-2025:11427 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2025:11424 https://access.redhat.com/errata/RHSA-2025:11424 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2025:11464 https://access.redhat.com/errata/RHSA-2025:11464 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:11463 https://access.redhat.com/errata/RHSA-2025:11463 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2025:11584 https://access.redhat.com/errata/RHSA-2025:11584 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2025:11607 https://access.redhat.com/errata/RHSA-2025:11607 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:11868 https://access.redhat.com/errata/RHSA-2025:11868 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extended Lifecycle Support Via RHSA-2025:11984 https://access.redhat.com/errata/RHSA-2025:11984 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2025:12020 https://access.redhat.com/errata/RHSA-2025:12020 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:12834 https://access.redhat.com/errata/RHSA-2025:12834 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:13578 https://access.redhat.com/errata/RHSA-2025:13578 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:13669 https://access.redhat.com/errata/RHSA-2025:13669 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:13668 https://access.redhat.com/errata/RHSA-2025:13668 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2025:13803 https://access.redhat.com/errata/RHSA-2025:13803 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2025:13804 https://access.redhat.com/errata/RHSA-2025:13804 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.5 for RHEL 8 Red Hat Ansible Automation Platform 2.5 for RHEL 9 Via RHSA-2025:14686 https://access.redhat.com/errata/RHSA-2025:14686 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:14900 https://access.redhat.com/errata/RHSA-2025:14900 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2025:15411 https://access.redhat.com/errata/RHSA-2025:15411 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Via RHSA-2025:15408 https://access.redhat.com/errata/RHSA-2025:15408 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2025:15410 https://access.redhat.com/errata/RHSA-2025:15410 |