python icon indicating copy to clipboard operation
python copied to clipboard

Published 20 hours ago verified publisher icon docker-library

CVE-2023-42366 Vulnerability in Python 3.11.9-alpine3.19 Docker Image

Open akmatoliya opened this issue 1 year ago • 2 comments

We have identified a critical security vulnerability (CVE-2023-42366) present in our Docker image. This vulnerability poses a significant risk to our system's security and integrity. Immediate action is required to mitigate potential exploitation.

Issue Details:

  • CVE ID: CVE-2023-42366
  • Description: A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.

Could you please provide an estimated timeline for fixing this issue? Additionally, any guidance on how to address this vulnerability effectively would be highly appreciated.? We would like to ensure that our system remains secure and up-to-date.

Thank you.

akmatoliya avatar Apr 17 '24 19:04 akmatoliya

There isn't a fix available in Alpine 3.19, so there is nothing we can do: https://security.alpinelinux.org/vuln/CVE-2023-42366

yosifkit avatar Apr 17 '24 20:04 yosifkit

This vulnerability poses a significant risk to our system's security and integrity.

Can you please elaborate how a heap buffer overflow in BusyBox awk's token parsing is a "significant risk" to your systems/deployments? Is your Python code shelling out to awk with untrusted input, for example? :thinking:

tianon avatar Apr 17 '24 20:04 tianon