CVE-2023-42366 Vulnerability in Python 3.11.9-alpine3.19 Docker Image

[akmatoliya]

We have identified a critical security vulnerability (CVE-2023-42366) present in our Docker image. This vulnerability poses a significant risk to our system's security and integrity. Immediate action is required to mitigate potential exploitation.

Issue Details:

• CVE ID: CVE-2023-42366
• Description: A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.

Could you please provide an estimated timeline for fixing this issue? Additionally, any guidance on how to address this vulnerability effectively would be highly appreciated.? We would like to ensure that our system remains secure and up-to-date.

Thank you.

[yosifkit]

There isn't a fix available in Alpine 3.19, so there is nothing we can do: https://security.alpinelinux.org/vuln/CVE-2023-42366

[tianon]

This vulnerability poses a significant risk to our system's security and integrity.

Can you please elaborate how a heap buffer overflow in BusyBox awk's token parsing is a "significant risk" to your systems/deployments? Is your Python code shelling out to awk with untrusted input, for example? 🤔