Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS CLI version 2.24.4 is vulnerable to CVE-2024-12254 #9300

Open
1 task
pafrank-mcd opened this issue Feb 14, 2025 · 1 comment
Open
1 task

AWS CLI version 2.24.4 is vulnerable to CVE-2024-12254 #9300

pafrank-mcd opened this issue Feb 14, 2025 · 1 comment
Assignees
@RyanFitzSimmonsAK
Labels
bug This issue is a bug. p2 This is a standard priority issue

Comments

@pafrank-mcd
Copy link

Describe the bug

The latest aws cli v2 (2.24.4) is vulnerable to CVE-2024-12254.
The distribution contains Python 3.12 which is vulnerable and needs to be upgraded to a higher version 3.12.9
https://alas.aws.amazon.com/AL2023/ALAS-2025-808.html

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

The package should not be vulnerable.

Current Behavior

Vulnerability scan result:
Vulnerability found in non-os package type (binary) - /usr/local/aws-cli/v2/2.24.2/dist/libpython3.12.so.1.0 (fixed in: 3.12.9, 3.13.2, 3.14.0a3)(CVE-2024-12254 - https://nvd.nist.gov/vuln/detail/CVE-2024-12254)

Reproduction Steps

Install latest aws cli v2 on Amazon Linux public.ecr.aws/amazonlinux/amazonlinux:2023.6.20250128.0
Run the anchore scanner which will flag this as a "High" vulnerability

Possible Solution

Update the python distribution to 3.12.9

Additional Information/Context

No response

CLI version used

2.24.4

Environment details (OS name and version, etc.)

Amazon linux based container(2023.6.20250128.0)
@pafrank-mcd pafrank-mcd added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 14, 2025
@RyanFitzSimmonsAK RyanFitzSimmonsAK self-assigned this Feb 14, 2025
@RyanFitzSimmonsAK RyanFitzSimmonsAK added investigating This issue is being investigated and/or work is in progress to resolve the issue. p1 This is a high priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Feb 14, 2025
@RyanFitzSimmonsAK
Copy link
Contributor

Hi @pafrank-mcd, thanks for reaching out. AWS CLI is not impacted by CVE-2024-12254, and no action is required to mitigate it. We intend to update the bundled Python interpreter in the near future, which will resolve these scanner alerts.

@RyanFitzSimmonsAK RyanFitzSimmonsAK added p2 This is a standard priority issue and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. p1 This is a high priority issue labels Feb 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RyanFitzSimmonsAK RyanFitzSimmonsAK

Labels
bug This issue is a bug. p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@RyanFitzSimmonsAK @pafrank-mcd