Addressing CVE-2022-40897 Vulnerability in Python 3.11.9-alpine3.19 Docker Image

[akmatoliya]

We have identified that our Docker image is affected by the CVE-2022-40897 vulnerability. This vulnerability allows remote attackers to execute arbitrary code or cause of DOS via a crafted image file, leading to potential system compromise or disruption.

Could you please provide an estimated timeline for fixing this issue? Additionally, any guidance on how to address this vulnerability effectively would be highly appreciated.? We would like to ensure that our system remains secure and up-to-date.

Thank you.

[yosifkit]

We explicitly already updated setuptools for this CVE in python 3.10, 3.11, and 3.12 images (https://github.com/docker-library/python/issues/781 ->https://github.com/docker-library/python/pull/783), so the scanner is incorrect.

[tianon]

This vulnerability allows remote attackers to execute arbitrary code or cause of DOS via a crafted image file, ...

Uhhhh, what? If this is exploitable in your application, that would mean you're importing setuptools into your application, which seems highly unusual. The only other alternative I can think of is that you're perhaps running untrusted images, which is already "arbitrary code" so I fail to see how this increases the surface area of attack in any appreciable way?