Bug 2366982 (CVE-2025-47273)
| Summary: | CVE-2025-47273 setuptools: Path Traversal Vulnerability in setuptools PackageIndex | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aasthana, abarbaro, adinn, adudiak, anpicker, anthomas, aprice, bbrownin, bdettelb, bkabrda, caswilli, cdaley, cmah, crizzo, dfreiber, dhanak, dnakabaa, doconnor, drosa, drow, dsimansk, eglynn, ehelms, fzakkak, galder.zamarreno, ggainey, gkamathe, haoli, hasun, hkataria, hukhan, jajackso, jburrell, jbuscemi, jcammara, jcantril, jchui, jdobes, jfula, jhe, jjoyce, jkoehler, jmitchel, jneedle, jowilson, jsamir, jtanner, juwatts, jwong, kaycoth, kegrant, kgaikwad, kholdawa, kingland, koliveir, kshier, ktsao, kverlaen, lball, lcouzens, ljawale, lphiri, luizcosta, mabashia, matzew, mbabacek, mburns, mgarciac, mhulan, mnovotny, mprahl, mrunge, mskarbek, nboldt, ngough, nkathole, nmoumoul, nweather, nyancey, oezr, olubyans, omaciel, ometelka, orabin, osousa, pakotvan, pbraun, pcreech, periklis, pjindal, psegedy, psrna, ptisnovs, rbobbitt, rchan, rojacob, sausingh, sbiarozk, sdawley, sgehwolf, shvarugh, simaishi, smallamp, smcdonal, stcannon, sthirugn, syedriko, teagle, tfister, thavo, tqvarnst, ttakamiy, veshanka, vimartin, vkrizan, vkumar, xdharmai, xiaoxwan, yguenane, zzhou |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A path traversal vulnerability in the Python setuptools library allows attackers with limited system access to write files outside the intended temporary directory by manipulating package download URLs. This flaw bypasses basic filename sanitization and can lead to unauthorized overwrites of important system files, creating opportunities for further compromise. While it doesn't expose data or require user interaction, it poses a high integrity risk and is especially concerning in environments that rely on automated package handling or internal tooling built on setuptools.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2367429, 2367430, 2372612, 2372614, 2372616, 2372617, 2372613, 2372615 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-05-17 16:01:04 UTC
|