{ "threat_severity" : "Moderate", "public_date" : "2025-05-17T15:46:11Z", "bugzilla" : { "description" : "setuptools: Path Traversal Vulnerability in setuptools PackageIndex", "id" : "2366982", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2366982" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "status" : "verified" }, "cwe" : "CWE-22", "details" : [ "setuptools is a package that allows users to download, build, install, upgrade, and uninstall Python packages. A path traversal vulnerability in `PackageIndex` is present in setuptools prior to version 78.1.1. An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to remote code execution depending on the context. Version 78.1.1 fixes the issue.", "A path traversal vulnerability in the Python setuptools library allows attackers with limited system access to write files outside the intended temporary directory by manipulating package download URLs. This flaw bypasses basic filename sanitization and can lead to unauthorized overwrites of important system files, creating opportunities for further compromise. While it doesn't expose data or require user interaction, it poses a high integrity risk and is especially concerning in environments that rely on automated package handling or internal tooling built on setuptools." ], "statement" : "Red Hat Product Security has rated this vulnerability \"Moderate\" based on the impact of the damage caused by a successful exploitation and the pre-requisites.\n* Exploitation requires that the attacker have limited code execution access to a Python environment where they can trigger the vulnerable PackageIndex.download() function—this might be via a script, plugin, or automated job. Full admin rights aren't needed but a user with no access at all will be unable to exploit this vulnerability.\n* The vulnerability impacts the integrity of the system within the same security boundary—it does not enable access or compromise across trust boundaries (e.g., from one container to another or from user space to kernel).\n* Successful exploitation only allows the attacker to \"create\" new files. The vulnerability does not provide access to existing files and by an extension to any confidential information. \n* Arbitrary file writes can overwrite critical config files, executables, or scripts. This can lead to persistent code execution, system misconfiguration, or unauthorized behavior, especially in automated environments. While overwriting critical files could theoretically lead to service disruption, the vulnerability in isolation does not inherently cause denial of service. The exploit doesn't target availability directly, and in many cases, systems may continue running.", "affected_release" : [ { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2025-08-26T00:00:00Z", "advisory" : "RHSA-2025:14686", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "automation-controller-0:4.6.19-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2025-08-26T00:00:00Z", "advisory" : "RHSA-2025:14686", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "automation-controller-0:4.6.19-1.el9ap" }, { "product_name" : "Red Hat Enterprise Linux 10", "release_date" : "2025-07-01T00:00:00Z", "advisory" : "RHSA-2025:9940", "cpe" : "cpe:/o:redhat:enterprise_linux:10.0", "package" : "python-setuptools-0:69.0.3-12.el10_0" }, { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2025-07-23T00:00:00Z", "advisory" : "RHSA-2025:11607", "cpe" : "cpe:/o:redhat:rhel_els:7", "package" : "python3-setuptools-0:39.2.0-10.el7_9.2" }, { "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date" : "2025-07-28T00:00:00Z", "advisory" : "RHSA-2025:11984", "cpe" : "cpe:/o:redhat:rhel_els:7", "package" : "python-setuptools-0:0.9.8-7.el7_9.2" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-07-15T00:00:00Z", "advisory" : "RHSA-2025:11043", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "python3.11-setuptools-0:65.5.1-4.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-07-15T00:00:00Z", "advisory" : "RHSA-2025:11044", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "python3.12-setuptools-0:68.2.2-5.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-08-28T00:00:00Z", "advisory" : "RHSA-2025:14900", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "python39:3.9-8100020250823160619.d47b87a4" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-08-28T00:00:00Z", "advisory" : "RHSA-2025:14900", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "python39-devel:3.9-8100020250823160619.d47b87a4" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-08-28T00:00:00Z", "advisory" : "RHSA-2025:14900", "cpe" : "cpe:/a:redhat:enterprise_linux:8::crb", "package" : "python39:3.9-8100020250823160619.d47b87a4" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-08-28T00:00:00Z", "advisory" : "RHSA-2025:14900", "cpe" : "cpe:/a:redhat:enterprise_linux:8::crb", "package" : "python39-devel:3.9-8100020250823160619.d47b87a4" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2025-07-15T00:00:00Z", "advisory" : "RHSA-2025:11036", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "python-setuptools-0:39.2.0-9.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2025-07-21T00:00:00Z", "advisory" : "RHSA-2025:11426", "cpe" : "cpe:/o:redhat:rhel_aus:8.2", "package" : "python-setuptools-0:39.2.0-5.el8_2.2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-09-08T00:00:00Z", "advisory" : "RHSA-2025:15411", "cpe" : "cpe:/a:redhat:rhel_aus:8.4", "package" : "python39:3.9-8040020250825101027.63cd9eba" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2025-07-21T00:00:00Z", "advisory" : "RHSA-2025:11425", "cpe" : "cpe:/o:redhat:rhel_aus:8.4", "package" : "python-setuptools-0:39.2.0-6.el8_4.2" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2025-09-08T00:00:00Z", "advisory" : "RHSA-2025:15411", "cpe" : "cpe:/a:redhat:rhel_eus_long_life:8.4", "package" : "python39:3.9-8040020250825101027.63cd9eba" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On", "release_date" : "2025-07-21T00:00:00Z", "advisory" : "RHSA-2025:11425", "cpe" : "cpe:/o:redhat:rhel_eus_long_life:8.4", "package" : "python-setuptools-0:39.2.0-6.el8_4.2" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-09-08T00:00:00Z", "advisory" : "RHSA-2025:15410", "cpe" : "cpe:/a:redhat:rhel_aus:8.6", "package" : "python39:3.9-8060020250826083212.6a631399" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date" : "2025-07-21T00:00:00Z", "advisory" : "RHSA-2025:11424", "cpe" : "cpe:/o:redhat:rhel_aus:8.6", "package" : "python-setuptools-0:39.2.0-7.el8_6.2" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-09-08T00:00:00Z", "advisory" : "RHSA-2025:15410", "cpe" : "cpe:/a:redhat:rhel_tus:8.6", "package" : "python39:3.9-8060020250826083212.6a631399" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date" : "2025-07-21T00:00:00Z", "advisory" : "RHSA-2025:11424", "cpe" : "cpe:/o:redhat:rhel_tus:8.6", "package" : "python-setuptools-0:39.2.0-7.el8_6.2" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-09-08T00:00:00Z", "advisory" : "RHSA-2025:15410", "cpe" : "cpe:/a:redhat:rhel_e4s:8.6", "package" : "python39:3.9-8060020250826083212.6a631399" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date" : "2025-07-21T00:00:00Z", "advisory" : "RHSA-2025:11424", "cpe" : "cpe:/o:redhat:rhel_e4s:8.6", "package" : "python-setuptools-0:39.2.0-7.el8_6.2" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13804", "cpe" : "cpe:/a:redhat:rhel_tus:8.8", "package" : "python3.11-setuptools-0:65.5.1-2.el8_8.2" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service", "release_date" : "2025-07-21T00:00:00Z", "advisory" : "RHSA-2025:11427", "cpe" : "cpe:/o:redhat:rhel_tus:8.8", "package" : "python-setuptools-0:39.2.0-7.el8_8.3" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13804", "cpe" : "cpe:/a:redhat:rhel_e4s:8.8", "package" : "python3.11-setuptools-0:65.5.1-2.el8_8.2" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-09-08T00:00:00Z", "advisory" : "RHSA-2025:15408", "cpe" : "cpe:/a:redhat:rhel_e4s:8.8", "package" : "python39:3.9-8080020250901141228.93c2fc2f" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions", "release_date" : "2025-07-21T00:00:00Z", "advisory" : "RHSA-2025:11427", "cpe" : "cpe:/o:redhat:rhel_e4s:8.8", "package" : "python-setuptools-0:39.2.0-7.el8_8.3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-07-21T00:00:00Z", "advisory" : "RHSA-2025:11463", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "fence-agents-0:4.10.0-86.el9_6.7" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-08-05T00:00:00Z", "advisory" : "RHSA-2025:12834", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "python3.12-setuptools-0:68.2.2-5.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-08-11T00:00:00Z", "advisory" : "RHSA-2025:13578", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "python3.11-setuptools-0:65.5.1-4.el9_6" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2025-07-07T00:00:00Z", "advisory" : "RHSA-2025:10407", "cpe" : "cpe:/o:redhat:enterprise_linux:9", "package" : "python-setuptools-0:53.0.0-13.el9_6.1" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-07-21T00:00:00Z", "advisory" : "RHSA-2025:11464", "cpe" : "cpe:/a:redhat:rhel_e4s:9.0", "package" : "fence-agents-0:4.10.0-20.el9_0.23" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date" : "2025-07-23T00:00:00Z", "advisory" : "RHSA-2025:11584", "cpe" : "cpe:/o:redhat:rhel_e4s:9.0", "package" : "python-setuptools-0:53.0.0-13.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-07-15T00:00:00Z", "advisory" : "RHSA-2025:11101", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "fence-agents-0:4.10.0-43.el9_2.14" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-08-13T00:00:00Z", "advisory" : "RHSA-2025:13803", "cpe" : "cpe:/a:redhat:rhel_e4s:9.2", "package" : "python3.11-setuptools-0:65.5.1-2.el9_2.2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions", "release_date" : "2025-07-29T00:00:00Z", "advisory" : "RHSA-2025:12020", "cpe" : "cpe:/o:redhat:rhel_e4s:9.2", "package" : "python-setuptools-0:53.0.0-12.el9_2.3" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-07-15T00:00:00Z", "advisory" : "RHSA-2025:11102", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "fence-agents-0:4.10.0-62.el9_4.15" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-08-12T00:00:00Z", "advisory" : "RHSA-2025:13668", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "python3.12-setuptools-0:68.2.2-3.el9_4.2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-08-12T00:00:00Z", "advisory" : "RHSA-2025:13669", "cpe" : "cpe:/a:redhat:rhel_eus:9.4", "package" : "python3.11-setuptools-0:65.5.1-2.el9_4.2" }, { "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date" : "2025-07-28T00:00:00Z", "advisory" : "RHSA-2025:11868", "cpe" : "cpe:/o:redhat:rhel_eus:9.4", "package" : "python-setuptools-0:53.0.0-12.el9_4.2" }, { "product_name" : "Builds for Red Hat OpenShift 1.4.1", "release_date" : "2025-07-10T00:00:00Z", "advisory" : "RHSA-2025:10787", "cpe" : "cpe:/a:redhat:openshift_builds:1.4::el9", "package" : "openshift-builds/openshift-builds-shared-resource-rhel9:sha256:427f633ade9e76cb30c23e77ef39eb9a566a2ab20b60e63fa6b6889635ac48d7" }, { "product_name" : "Builds for Red Hat OpenShift 1.4.1", "release_date" : "2025-07-10T00:00:00Z", "advisory" : "RHSA-2025:10787", "cpe" : "cpe:/a:redhat:openshift_builds:1.4::el9", "package" : "openshift-builds/openshift-builds-shared-resource-webhook-rhel9:sha256:308b1fac2a46c02df4269dce9556b51c4486834dc860e2c4f286b2c7779e17eb" }, { "product_name" : "Builds for Red Hat OpenShift 1.4.1", "release_date" : "2025-07-15T00:00:00Z", "advisory" : "RHSA-2025:11146", "cpe" : "cpe:/a:redhat:openshift_builds:1.4::el9", "package" : "openshift-builds/openshift-builds-shared-resource-rhel9:sha256:1ef0ac67f7bdb99d431a68b30ac8362c9c54a5cd6b4dfe38a80e3e1e6635c6c0" }, { "product_name" : "Builds for Red Hat OpenShift 1.4.1", "release_date" : "2025-07-15T00:00:00Z", "advisory" : "RHSA-2025:11146", "cpe" : "cpe:/a:redhat:openshift_builds:1.4::el9", "package" : "openshift-builds/openshift-builds-shared-resource-webhook-rhel9:sha256:31572fdf501727e68e843fcdf927aab9f586057a0965192b205d34a270c64f6f" }, { "product_name" : "Builds for Red Hat OpenShift 1.5.2", "release_date" : "2025-07-17T00:00:00Z", "advisory" : "RHSA-2025:11388", "cpe" : "cpe:/a:redhat:openshift_builds:1.5::el9", "package" : "openshift-builds/openshift-builds-shared-resource-rhel9:sha256:171cab42a728839c5a6b88f728bcf409e058125c6d06ff5c577f5c18e3ef03f0" }, { "product_name" : "Builds for Red Hat OpenShift 1.5.2", "release_date" : "2025-07-17T00:00:00Z", "advisory" : "RHSA-2025:11388", "cpe" : "cpe:/a:redhat:openshift_builds:1.5::el9", "package" : "openshift-builds/openshift-builds-shared-resource-webhook-rhel9:sha256:5a1a90ff76f421741ced6fc36ec6d6f08ac6f0f9ed978c740ea8f96e82e075ce" }, { "product_name" : "Red Hat Developer Hub 1.5", "release_date" : "2025-07-14T00:00:00Z", "advisory" : "RHSA-2025:10992", "cpe" : "cpe:/a:redhat:rhdh:1.5::el9", "package" : "rhdh/rhdh-hub-rhel9:sha256:1d4c7fa815e480d838f9e375c65e78ef0e851ce093c84483a994673129d4643c" }, { "product_name" : "Red Hat Developer Hub 1.6", "release_date" : "2025-06-30T00:00:00Z", "advisory" : "RHSA-2025:9966", "cpe" : "cpe:/a:redhat:rhdh:1.6::el9", "package" : "rhdh/rhdh-hub-rhel9:sha256:79618b38d6f02457954b227d538e238fdebbb72a220af5bd6be3cfab3ad0f262" }, { "product_name" : "Red Hat Enterprise Linux AI 1.5", "release_date" : "2025-11-03T00:00:00Z", "advisory" : "RHSA-2025:19421", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1.5::el9", "package" : "rhelai1/instructlab-intel-rhel9:sha256:cf0ec4ad1520ff2ce83420846830286e036f310f880cf8a533f0966c35ebd32f" }, { "product_name" : "Red Hat Enterprise Linux AI 1.5", "release_date" : "2025-11-03T00:00:00Z", "advisory" : "RHSA-2025:19422", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1.5::el9", "package" : "rhelai1/bootc-intel-rhel9:sha256:601064840ac29ea7d4a977efb506df226a2931d5079ec9f432bdf60095bf7c2e" }, { "product_name" : "Red Hat Enterprise Linux AI 1.5", "release_date" : "2025-11-03T00:00:00Z", "advisory" : "RHSA-2025:19423", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1.5::el9", "package" : "rhelai1/instructlab-nvidia-rhel9:sha256:a17f53b6c19150fce3e6d456fde71a74bdab5da5eeb44bec7791084c3471a98e" }, { "product_name" : "Red Hat Enterprise Linux AI 1.5", "release_date" : "2025-11-03T00:00:00Z", "advisory" : "RHSA-2025:19424", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1.5::el9", "package" : "rhelai1/bootc-azure-amd-rhel9:sha256:f77167ea53b46b91631679ed84aab2373ff56dc62cba946296be212443bc2a99" }, { "product_name" : "Red Hat Enterprise Linux AI 1.5", "release_date" : "2025-11-03T00:00:00Z", "advisory" : "RHSA-2025:19425", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1.5::el9", "package" : "rhelai1/instructlab-amd-rhel9:sha256:03f22e965af16fe84aed7d30e7b8db00dead11d9fd4b11e3c9abb2e68dd910f1" }, { "product_name" : "Red Hat Enterprise Linux AI 1.5", "release_date" : "2025-11-03T00:00:00Z", "advisory" : "RHSA-2025:19426", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1.5::el9", "package" : "rhelai1/bootc-gcp-nvidia-rhel9:sha256:a83229f005c78e271c774f3eda26421fedbc4b8cf1ac3fe94234899c6d677124" }, { "product_name" : "Red Hat Enterprise Linux AI 1.5", "release_date" : "2025-11-03T00:00:00Z", "advisory" : "RHSA-2025:19427", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1.5::el9", "package" : "rhelai1/bootc-amd-rhel9:sha256:c029b66a3354ee6fd186a1f05aff31b5834e611b9d5b326b65b16829d6b98d1f" }, { "product_name" : "Red Hat Enterprise Linux AI 1.5", "release_date" : "2025-11-03T00:00:00Z", "advisory" : "RHSA-2025:19428", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1.5::el9", "package" : "rhelai1/bootc-nvidia-rhel9:sha256:0efbdee5f2ec93477b5aac5dd4c1dd9b31fe96e5e7c7dd701738ceaa86b2f2eb" }, { "product_name" : "Red Hat Enterprise Linux AI 1.5", "release_date" : "2025-11-03T00:00:00Z", "advisory" : "RHSA-2025:19429", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1.5::el9", "package" : "rhelai1/bootc-aws-nvidia-rhel9:sha256:385028a96717418982de197f8f0a9052edf12f80a50bd8ab53ca72203a4ba5d8" }, { "product_name" : "Red Hat Enterprise Linux AI 1.5", "release_date" : "2025-11-03T00:00:00Z", "advisory" : "RHSA-2025:19430", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1.5::el9", "package" : "rhelai1/bootc-azure-nvidia-rhel9:sha256:427596ae2591a30a0218b7cfdd858ccad96178ddc2618cdf0a6e4e9af36685bf" }, { "product_name" : "Red Hat Quay 3.14", "release_date" : "2026-03-10T00:00:00Z", "advisory" : "RHSA-2026:4215", "cpe" : "cpe:/a:redhat:quay:3.14::el8", "package" : "quay/quay-rhel8:sha256:05cc4b4410de27e32897492effb21362d8c1bc8cc56e9408fc9a19f9f3149899" }, { "product_name" : "Red Hat Satellite 6.17", "release_date" : "2025-07-10T00:00:00Z", "advisory" : "RHSA-2025:10809", "cpe" : "cpe:/a:redhat:satellite:6.17::el9", "package" : "satellite/iop-advisor-engine-rhel9:sha256:27eaac9b93113fd78a8932d112d9d37b940e337207df25f03ead05fffcf6be55" } ], "package_state" : [ { "product_name" : "cert-manager Operator for Red Hat OpenShift", "fix_state" : "Affected", "package_name" : "cert-manager/cert-manager-istio-csr-rhel9", "cpe" : "cpe:/a:redhat:cert_manager:1" }, { "product_name" : "cert-manager Operator for Red Hat OpenShift", "fix_state" : "Affected", "package_name" : "cert-manager/cert-manager-operator-rhel9", "cpe" : "cpe:/a:redhat:cert_manager:1" }, { "product_name" : "cert-manager Operator for Red Hat OpenShift", "fix_state" : "Affected", "package_name" : "cert-manager/jetstack-cert-manager-acmesolver-rhel9", "cpe" : "cpe:/a:redhat:cert_manager:1" }, { "product_name" : "cert-manager Operator for Red Hat OpenShift", "fix_state" : "Affected", "package_name" : "cert-manager/jetstack-cert-manager-rhel9", "cpe" : "cpe:/a:redhat:cert_manager:1" }, { "product_name" : "Confidential Compute Attestation", "fix_state" : "Affected", "package_name" : "confidential-compute-attestation-tech-preview/trustee-rhel9", "cpe" : "cpe:/a:redhat:confidential_compute_attestation:1" }, { "product_name" : "Custom Metric Autoscaler operator for Red Hat Openshift", "fix_state" : "Not affected", "package_name" : "custom-metrics-autoscaler/custom-metrics-autoscaler-operator-bundle", "cpe" : "cpe:/a:redhat:openshift_custom_metrics_autoscaler:2" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Affected", "package_name" : "openshift-logging/elasticsearch6-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Affected", "package_name" : "openshift-logging/logging-curator5-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Network Observability Operator", "fix_state" : "Not affected", "package_name" : "network-observability/network-observability-cli-rhel9", "cpe" : "cpe:/a:redhat:network_observ_optr:1" }, { "product_name" : "Network Observability Operator", "fix_state" : "Not affected", "package_name" : "network-observability/network-observability-operator-bundle", "cpe" : "cpe:/a:redhat:network_observ_optr:1" }, { "product_name" : "Network Observability Operator", "fix_state" : "Not affected", "package_name" : "network-observability/network-observability-rhel9-operator", "cpe" : "cpe:/a:redhat:network_observ_optr:1" }, { "product_name" : "OpenShift Lightspeed", "fix_state" : "Affected", "package_name" : "openshift-lightspeed-tech-preview/lightspeed-console-plugin-rhel9", "cpe" : "cpe:/a:redhat:openshift_lightspeed" }, { "product_name" : "OpenShift Lightspeed", "fix_state" : "Affected", "package_name" : "openshift-lightspeed-tech-preview/lightspeed-service-api-rhel9", "cpe" : "cpe:/a:redhat:openshift_lightspeed" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-chains-controller-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-cli-tkn-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-console-plugin-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-console-plugin-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-controller-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-entrypoint-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-events-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-git-init-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-hub-api-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-hub-api-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-hub-db-migration-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-hub-db-migration-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-hub-ui-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-hub-ui-rhel9", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-nop-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-operator-proxy-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-operator-webhook-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-pipelines-as-code-cli-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-pipelines-as-code-controller-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-pipelines-as-code-watcher-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-pipelines-as-code-webhook-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-resolvers-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-results-api-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-results-watcher-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-rhel8-operator", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-sidecarlogresults-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-triggers-controller-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-triggers-core-interceptors-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-triggers-eventlistenersink-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-triggers-webhook-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-webhook-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Pipelines", "fix_state" : "Will not fix", "package_name" : "openshift-pipelines/pipelines-workingdirinit-rhel8", "cpe" : "cpe:/a:redhat:openshift_pipelines:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "openshift-serverless-1/kn-ekb-dispatcher-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "openshift-serverless-1/kn-ekb-kafka-controller-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "openshift-serverless-1/kn-ekb-post-install-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "openshift-serverless-1/kn-ekb-receiver-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "OpenShift Serverless", "fix_state" : "Not affected", "package_name" : "openshift-serverless-1/kn-ekb-webhook-kafka-rhel8", "cpe" : "cpe:/a:redhat:serverless:1" }, { "product_name" : "Red Hat build of Quarkus Native builder", "fix_state" : "Affected", "package_name" : "mandrel-for-jdk-21-rhel8", "cpe" : "cpe:/a:redhat:quarkus:3" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Fix deferred", "package_name" : "python-setuptools", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "python3x-setuptools", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI)", "fix_state" : "Will not fix", "package_name" : "rhelai1/docling-serve-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI)", "fix_state" : "Will not fix", "package_name" : "rhelai1/ui-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1" }, { "product_name" : "Red Hat Offline Knowledge Portal", "fix_state" : "Affected", "package_name" : "offline-knowledge-portal/rhokp-rhel9", "cpe" : "cpe:/a:redhat:offline_knowledge_portal:1" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-dashboard-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-feast-operator-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-feature-server-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-ml-pipelines-api-server-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-ml-pipelines-artifact-manager-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-ml-pipelines-cache-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-ml-pipelines-persistenceagent-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-ml-pipelines-runtime-generic-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-ml-pipelines-scheduledworkflow-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-modelmesh-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhoai/odh-modelmesh-runtime-adapter-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-model-registry-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-training-operator-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Not affected", "package_name" : "rhoai/odh-trustyai-service-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhods/odh-ml-pipelines-api-server-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhods/odh-ml-pipelines-artifact-manager-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhods/odh-ml-pipelines-cache-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhods/odh-ml-pipelines-persistenceagent-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift AI (RHOAI)", "fix_state" : "Affected", "package_name" : "rhods/odh-ml-pipelines-scheduledworkflow-rhel8", "cpe" : "cpe:/a:redhat:openshift_ai" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/microshift-bootc-rhel9", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-ansible-operator", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ose-ansible-rhel9-operator", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift4/ztp-site-generate-rhel8", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Under investigation", "package_name" : "python-setuptools", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Under investigation", "package_name" : "rhcos", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/udi-rhel8", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat OpenShift Dev Spaces", "fix_state" : "Affected", "package_name" : "devspaces/udi-rhel9", "cpe" : "cpe:/a:redhat:openshift_devspaces:3" }, { "product_name" : "Red Hat Trusted Artifact Signer", "fix_state" : "Affected", "package_name" : "rhtas/client-server-rhel9", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1" }, { "product_name" : "Red Hat Trusted Artifact Signer", "fix_state" : "Affected", "package_name" : "rhtas/rekor-backfill-redis-rhel9", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1" }, { "product_name" : "Red Hat Trusted Artifact Signer", "fix_state" : "Affected", "package_name" : "rhtas/rekor-cli-rhel9", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1" }, { "product_name" : "Red Hat Trusted Artifact Signer", "fix_state" : "Affected", "package_name" : "rhtas/rekor-search-ui-rhel9", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1" }, { "product_name" : "Red Hat Trusted Artifact Signer", "fix_state" : "Affected", "package_name" : "rhtas/rekor-server-rhel9", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1" }, { "product_name" : "Red Hat Trusted Artifact Signer", "fix_state" : "Affected", "package_name" : "rhtas/segment-reporting-rhel9", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1" }, { "product_name" : "Red Hat Trusted Artifact Signer", "fix_state" : "Affected", "package_name" : "rhtas/trillian-database-rhel9", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1" }, { "product_name" : "Red Hat Trusted Artifact Signer", "fix_state" : "Affected", "package_name" : "rhtas/trillian-redis-rhel9", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1" }, { "product_name" : "Red Hat Trusted Artifact Signer", "fix_state" : "Affected", "package_name" : "rhtas/tuffer-rhel9", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1" }, { "product_name" : "Red Hat Trusted Artifact Signer", "fix_state" : "Affected", "package_name" : "rhtas/tuftool-rhel9", "cpe" : "cpe:/a:redhat:trusted_artifact_signer:1" }, { "product_name" : "Service Telemetry Framework 1.5", "fix_state" : "Not affected", "package_name" : "stf/prometheus-webhook-snmp-rhel8", "cpe" : "cpe:/a:redhat:stf:1.5" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-47273\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-47273\nhttps://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88\nhttps://github.com/pypa/setuptools/commit/250a6d17978f9f6ac3ac887091f2d32886fbbb0b\nhttps://github.com/pypa/setuptools/issues/4946\nhttps://github.com/pypa/setuptools/security/advisories/GHSA-5rjg-fvgr-3xxf" ], "name" : "CVE-2025-47273", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }