Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-27043 (MEDIUM): detected in Lambda Docker Images. #209

Open
the-lambda-watchdog opened this issue Nov 2, 2024 · 0 comments
Open

CVE-2023-27043 (MEDIUM): detected in Lambda Docker Images. #209

the-lambda-watchdog opened this issue Nov 2, 2024 · 0 comments

Comments

@the-lambda-watchdog
Copy link

CVE Details

CVE ID Severity Affected Package Installed Version Fixed Version Date Published Date of Scan
CVE-2023-27043 MEDIUM python 2.7.18-1.amzn2.0.8 2.7.18-1.amzn2.0.9 2023-04-19T00:15:07.973Z 2024-11-01T10:18:48.173360987Z

Affected Docker Images

Image Name SHA
public.ecr.aws/lambda/provided:al2 public.ecr.aws/lambda/provided@sha256:a6feb044370fa9e485ede4076d104a27039922f1eb04e5bfafd90b8e0866d788
public.ecr.aws/lambda/provided:al2 public.ecr.aws/lambda/provided@sha256:a6feb044370fa9e485ede4076d104a27039922f1eb04e5bfafd90b8e0866d788
public.ecr.aws/lambda/python:3.11 public.ecr.aws/lambda/python@sha256:c06d4356e7001c9e655e3ba6f627563c3dab6aaed8efcfb0d197af517bc25fdf
public.ecr.aws/lambda/python:3.11 public.ecr.aws/lambda/python@sha256:c06d4356e7001c9e655e3ba6f627563c3dab6aaed8efcfb0d197af517bc25fdf
public.ecr.aws/lambda/python:3.10 public.ecr.aws/lambda/python@sha256:cfcb5265dc22c70a9028a7d48e56e758564ac435104f1ba799996b993a403de4
public.ecr.aws/lambda/python:3.10 public.ecr.aws/lambda/python@sha256:cfcb5265dc22c70a9028a7d48e56e758564ac435104f1ba799996b993a403de4
public.ecr.aws/lambda/python:3.9 public.ecr.aws/lambda/python@sha256:70960c37723ef817a643c85f7bf6790eb34e2c8a25d4fd8037366115ee4edf10
public.ecr.aws/lambda/python:3.9 public.ecr.aws/lambda/python@sha256:70960c37723ef817a643c85f7bf6790eb34e2c8a25d4fd8037366115ee4edf10
public.ecr.aws/lambda/python:3.8 public.ecr.aws/lambda/python@sha256:d007275970342cd653f7494f85b187b86123be6b284dc4393b82e8603a9c1793
public.ecr.aws/lambda/python:3.8 public.ecr.aws/lambda/python@sha256:d007275970342cd653f7494f85b187b86123be6b284dc4393b82e8603a9c1793
public.ecr.aws/lambda/nodejs:18 public.ecr.aws/lambda/nodejs@sha256:cbe1e63bffb0008f12ea21b4790386e177f609163b7a59136b5ee8d8bbf465f2
public.ecr.aws/lambda/nodejs:18 public.ecr.aws/lambda/nodejs@sha256:cbe1e63bffb0008f12ea21b4790386e177f609163b7a59136b5ee8d8bbf465f2
public.ecr.aws/lambda/java:17 public.ecr.aws/lambda/java@sha256:8d7ff185bf224f4fb73767916a58cbc0270ab4f9299875e398c8f996d5414bb2
public.ecr.aws/lambda/java:17 public.ecr.aws/lambda/java@sha256:8d7ff185bf224f4fb73767916a58cbc0270ab4f9299875e398c8f996d5414bb2
public.ecr.aws/lambda/java:11 public.ecr.aws/lambda/java@sha256:27c1637a955d02543c0c85c697a73a04783d005652af2beae61f45ee5d7fbcbb
public.ecr.aws/lambda/java:11 public.ecr.aws/lambda/java@sha256:27c1637a955d02543c0c85c697a73a04783d005652af2beae61f45ee5d7fbcbb
public.ecr.aws/lambda/java:8.al2 public.ecr.aws/lambda/java@sha256:dd771cac1fe02c0fc52bd7134d39e9980a35e9a4b24bfa9aac17d279ea32095e
public.ecr.aws/lambda/java:8.al2 public.ecr.aws/lambda/java@sha256:dd771cac1fe02c0fc52bd7134d39e9980a35e9a4b24bfa9aac17d279ea32095e
public.ecr.aws/lambda/dotnet:6 public.ecr.aws/lambda/dotnet@sha256:039db41abd97e8762ae406242f7506c2e43fc8bd824a2d78366d16556438261d
public.ecr.aws/lambda/dotnet:6 public.ecr.aws/lambda/dotnet@sha256:039db41abd97e8762ae406242f7506c2e43fc8bd824a2d78366d16556438261d
public.ecr.aws/lambda/ruby:3.2 public.ecr.aws/lambda/ruby@sha256:0c3bf3b3764e0630812f00d6d6faaa0d3b220aa29e0c630285649f15defcbdc0
public.ecr.aws/lambda/ruby:3.2 public.ecr.aws/lambda/ruby@sha256:0c3bf3b3764e0630812f00d6d6faaa0d3b220aa29e0c630285649f15defcbdc0

Description

The email module of Python through 3.11.3 incorrectly parses e-mail addresses that contain a special character. The wrong portion of an RFC2822 header is identified as the value of the addr-spec. In some applications, an attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain (e.g., only @company.example.com addresses may be used for signup). This occurs in email/_parseaddr.py in recent versions of Python.

Remediation Steps

  • Update the affected package python from version 2.7.18-1.amzn2.0.8 to 2.7.18-1.amzn2.0.9.

About this issue

  • This issue may not contain all the information about the CVE nor the images it affects.
  • This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
  • For more, visit Lambda Watchdog.
  • This issue was created automatically by Lambda Watchdog.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@the-lambda-watchdog