Skip to content

bug: localstack includes vulnerable python package setuptools 65.5.1 CVE-2024-6345 #12171

New issue
New issue
Closed
Closed
bug: localstack includes vulnerable python package setuptools 65.5.1 CVE-2024-6345#12171
Labels
status: backlogTriaged but not yet being worked onstatus: resolved/staleClosed due to stalenesstype: bugBug report
@gianlucabonetti

Description

@gianlucabonetti
gianlucabonetti
opened on Jan 23, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Current localstack release includes vulnerable python package setuptools 65.5.1 (CVE-2024-6345)
Fixed version 75.8.0 is already available

https://nvd.nist.gov/vuln/detail/cve-2024-6345
"A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. "

Image

Image

Expected Behavior

Not vulnerable packages to be shipped in the localstack image

How are you starting LocalStack?

With a docker run command

Steps To Reproduce

How are you starting localstack (e.g., bin/localstack command, arguments, or docker-compose.yml)

docker run localstack/localstack

Client commands (e.g., AWS SDK code snippet, or sequence of "awslocal" commands)

awslocal s3 mb s3://mybucket

Environment

- OS: Debian 12.7
- LocalStack:
  LocalStack version: 4.0.4.dev124
  LocalStack build date: 2025-01-23
  LocalStack build git hash: 20f919b3a
  LocalStack Docker image sha: 4cac59e88053

Anything else?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: backlogTriaged but not yet being worked onstatus: resolved/staleClosed due to stalenesstype: bugBug report

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions