GCVE - cpe:2.3:a:python:setuptools:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:python:setuptools:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Python (`b57ad93a-6195-5192-9423-6cfad6044a8b`)
Product	Setuptools (`43f7b15f-6553-581a-9552-2ceaa087ebf8`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from purl2cpe mapping

PURL mappings

PURL	Source	Last updated
`pkg:deb/debian/pypy-setuptools`	purl2cpe	2026-06-01 10:16:28.387038
`pkg:deb/debian/python-setuptools`	purl2cpe	2026-06-01 10:16:28.387041
`pkg:deb/ubuntu/pypy-setuptools`	purl2cpe	2026-06-01 10:16:28.387045
`pkg:deb/ubuntu/python-setuptools`	purl2cpe	2026-06-01 10:16:28.387047
`pkg:github/pypa/setuptools`	purl2cpe	2026-06-01 10:16:28.387050
`pkg:gitlab/python-setuptools`	purl2cpe	2026-06-01 10:16:28.387053
`pkg:pypi/setuptools`	purl2cpe	2026-06-01 10:16:28.387056
`pkg:rpm/fedora/python-setuptools`	purl2cpe	2026-06-01 10:16:28.387058
`pkg:rpm/opensuse/python-setuptools`	purl2cpe	2026-06-01 10:16:28.387061

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-47273`	vulnerable	2026-06-03 15:01:28.725675	setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue. Published: 2025-05-17T15:46:11.399Z Updated: 2025-05-28T15:03:15.516Z Open on db.gcve.eu Reference links https://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf https://github.com/pypa/setuptools/issues/4946 https://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2022-40897`	vulnerable	2026-06-03 14:48:03.686017	Details available Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. Published: 2022-12-22T00:00:00.000Z Updated: 2025-11-04T16:09:54.794Z Open on db.gcve.eu Reference links https://github.com/pypa/setuptools/blob/fe8a98e696241487ba6ac9f91faa38ade939ec5d/setuptools/package_index.py#L200 https://pyup.io/posts/pyup-discovers-redos-vulnerabilities-in-top-python-packages/ https://github.com/pypa/setuptools/commit/43a9c9bfa6aa626ec2a22540bea28d2ca77964be https://pyup.io/vulnerabilities/CVE-2022-40897/52495/ https://github.com/pypa/setuptools/compare/v65.5.0...v65.5.1	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-1633`	vulnerable	2026-06-03 14:32:50.524849	Details available easy_install in setuptools before 0.7 uses HTTP to retrieve packages from the PyPI repository, and does not perform integrity checks on package contents, which allows man-in-the-middle attackers to execute arbitrary code via a crafted response to the default use of the product. Published: 2013-08-06T01:00:00.000Z Updated: 2024-09-16T23:00:21.247Z Open on db.gcve.eu Reference links https://pypi.python.org/pypi/setuptools/0.9.8#changes http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_untrusted_network_a/	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.