{"id":"CVE-2022-42969","details":"The py library through 1.11.0 for Python allows remote attackers to conduct a ReDoS (Regular expression Denial of Service) attack via a Subversion repository with crafted info data, because the InfoSvnCommand argument is mishandled. Note: This has been disputed by multiple third parties as not being reproduceable and they argue this is not a valid vulnerability.","aliases":["GHSA-w596-4wvx-j9j6","PYSEC-2022-42969"],"modified":"2026-04-16T04:40:03.332944056Z","published":"2022-10-16T06:15:09.797Z","related":["SUSE-SU-2023:0161-1","SUSE-SU-2023:0395-1","SUSE-SU-2023:0681-1","openSUSE-SU-2024:13211-1"],"references":[{"type":"WEB","url":"https://github.com/pytest-dev/py/blob/cb87a83960523a2367d0f19226a73aed4ce4291d/py/_path/svnurl.py#L316"},{"type":"REPORT","url":"https://github.com/pytest-dev/py/issues/287"},{"type":"REPORT","url":"https://news.ycombinator.com/item?id=34163710"},{"type":"PACKAGE","url":"https://pypi.org/project/py"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pytest-dev/py","events":[{"introduced":"0"},{"last_affected":"447bac514febbb5433963582103d48bb27b3db17"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.11.0"}]}}],"versions":["1.0.0b3","1.1.0","1.1.1","1.10.0","1.11.0","1.2.0","1.2.1","1.3.0","1.3.1","1.3.2","1.3.3","1.4.0","1.4.1","1.4.10","1.4.11","1.4.12","1.4.13","1.4.14","1.4.15","1.4.16","1.4.17","1.4.18","1.4.19","1.4.2","1.4.20","1.4.21","1.4.23","1.4.24","1.4.25","1.4.26","1.4.27","1.4.28","1.4.29","1.4.3","1.4.30","1.4.31","1.4.34","1.4.4","1.4.6","1.4.7","1.4.9","1.5.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-42969.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}