Vulnerability report for Docker python:3-slim

Vulnerabilities	22 via 47 paths
Dependencies	87
Source	Docker
Target OS	debian:13

Test your Docker Hub image against our market leading vulnerability database Sign up for free

Severity

Critical
High
Medium
Low
22

Status

Open
22
Patched
0
Ignored
0

low severity

Out-of-Bounds

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.41-12 and glibc/libc6@2.41-12

Detailed paths

Introduced through: python@3-slim › glibc/libc-bin@2.41-12
Introduced through: python@3-slim › glibc/libc6@2.41-12

NVD Description

Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:13 glibc.

References

Out-of-Bounds vulnerability report

low severity

CVE-2005-2541

Vulnerable module: tar
Introduced through: tar@1.35+dfsg-3.1

Detailed paths

Introduced through: python@3-slim › tar@1.35+dfsg-3.1

NVD Description

Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.

Remediation

There is no fixed version for Debian:13 tar.

References

CVE-2005-2541 vulnerability report

low severity

CVE-2019-1010023

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.41-12 and glibc/libc6@2.41-12

Detailed paths

Introduced through: python@3-slim › glibc/libc-bin@2.41-12
Introduced through: python@3-slim › glibc/libc6@2.41-12

NVD Description

GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:13 glibc.

References

CVE-2019-1010023 vulnerability report

low severity

Uncontrolled Recursion

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.41-12 and glibc/libc6@2.41-12

Detailed paths

Introduced through: python@3-slim › glibc/libc-bin@2.41-12
Introduced through: python@3-slim › glibc/libc6@2.41-12

NVD Description

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

Remediation

There is no fixed version for Debian:13 glibc.

References

Uncontrolled Recursion vulnerability report

low severity

Uncontrolled Recursion

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.41-12 and glibc/libc6@2.41-12

Detailed paths

Introduced through: python@3-slim › glibc/libc-bin@2.41-12
Introduced through: python@3-slim › glibc/libc6@2.41-12

NVD Description

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern

Remediation

There is no fixed version for Debian:13 glibc.

References

Uncontrolled Recursion vulnerability report

low severity

Access Restriction Bypass

Vulnerable module: shadow/login.defs
Introduced through: shadow/login.defs@1:4.17.4-2 and shadow/passwd@1:4.17.4-2

Detailed paths

Introduced through: python@3-slim › shadow/login.defs@1:4.17.4-2
Introduced through: python@3-slim › shadow/passwd@1:4.17.4-2

NVD Description

Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.

Remediation

There is no fixed version for Debian:13 shadow.

References

Access Restriction Bypass vulnerability report

low severity

Information Exposure

Vulnerable module: util-linux
Introduced through: util-linux@2.41-5, util-linux/bsdutils@1:2.41-5 and others

Detailed paths

Introduced through: python@3-slim › util-linux@2.41-5
Introduced through: python@3-slim › util-linux/bsdutils@1:2.41-5
Introduced through: python@3-slim › util-linux/libblkid1@2.41-5
Introduced through: python@3-slim › util-linux/liblastlog2-2@2.41-5
Introduced through: python@3-slim › util-linux/libmount1@2.41-5
Introduced through: python@3-slim › util-linux/libsmartcols1@2.41-5
Introduced through: python@3-slim › util-linux/libuuid1@2.41-5
Introduced through: python@3-slim › util-linux/login@1:4.16.0-2+really2.41-5
Introduced through: python@3-slim › util-linux/mount@2.41-5

NVD Description

Note: Versions mentioned in the description apply only to the upstream util-linux package and not the util-linux package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

Remediation

There is no fixed version for Debian:13 util-linux.

References

Information Exposure vulnerability report

low severity

Information Exposure

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.41-12 and glibc/libc6@2.41-12

Detailed paths

Introduced through: python@3-slim › glibc/libc-bin@2.41-12
Introduced through: python@3-slim › glibc/libc6@2.41-12

NVD Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

Remediation

There is no fixed version for Debian:13 glibc.

References

Information Exposure vulnerability report

low severity

Use of Insufficiently Random Values

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.41-12 and glibc/libc6@2.41-12

Detailed paths

Introduced through: python@3-slim › glibc/libc-bin@2.41-12
Introduced through: python@3-slim › glibc/libc6@2.41-12

NVD Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability.

Remediation

There is no fixed version for Debian:13 glibc.

References

Use of Insufficiently Random Values vulnerability report

low severity

Improper Validation of Integrity Check Value

Vulnerable module: systemd/libsystemd0
Introduced through: systemd/libsystemd0@257.8-1~deb13u2 and systemd/libudev1@257.8-1~deb13u2

Detailed paths

Introduced through: python@3-slim › systemd/libsystemd0@257.8-1~deb13u2
Introduced through: python@3-slim › systemd/libudev1@257.8-1~deb13u2

NVD Description

Note: Versions mentioned in the description apply only to the upstream systemd package and not the systemd package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:13 systemd.

References

Improper Validation of Integrity Check Value vulnerability report

low severity

Improper Validation of Integrity Check Value

Vulnerable module: systemd/libsystemd0
Introduced through: systemd/libsystemd0@257.8-1~deb13u2 and systemd/libudev1@257.8-1~deb13u2

Detailed paths

Introduced through: python@3-slim › systemd/libsystemd0@257.8-1~deb13u2
Introduced through: python@3-slim › systemd/libudev1@257.8-1~deb13u2

NVD Description

An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:13 systemd.

References

Improper Validation of Integrity Check Value vulnerability report

low severity

Improper Validation of Integrity Check Value

Vulnerable module: systemd/libsystemd0
Introduced through: systemd/libsystemd0@257.8-1~deb13u2 and systemd/libudev1@257.8-1~deb13u2

Detailed paths

Introduced through: python@3-slim › systemd/libsystemd0@257.8-1~deb13u2
Introduced through: python@3-slim › systemd/libudev1@257.8-1~deb13u2

NVD Description

An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

Remediation

There is no fixed version for Debian:13 systemd.

References

Improper Validation of Integrity Check Value vulnerability report

low severity

Race Condition

Vulnerable module: coreutils
Introduced through: coreutils@9.7-3

Detailed paths

Introduced through: python@3-slim › coreutils@9.7-3

NVD Description

Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.

Remediation

There is no fixed version for Debian:13 coreutils.

References

Race Condition vulnerability report

low severity

Stack-based Buffer Overflow

Vulnerable module: coreutils
Introduced through: coreutils@9.7-3

Detailed paths

Introduced through: python@3-slim › coreutils@9.7-3

NVD Description

A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data.

Remediation

There is no fixed version for Debian:13 coreutils.

References

Stack-based Buffer Overflow vulnerability report

low severity

Link Following

Vulnerable module: systemd/libsystemd0
Introduced through: systemd/libsystemd0@257.8-1~deb13u2 and systemd/libudev1@257.8-1~deb13u2

Detailed paths

Introduced through: python@3-slim › systemd/libsystemd0@257.8-1~deb13u2
Introduced through: python@3-slim › systemd/libudev1@257.8-1~deb13u2

NVD Description

systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.

Remediation

There is no fixed version for Debian:13 systemd.

References

Link Following vulnerability report

low severity

Resource Management Errors

Vulnerable module: glibc/libc-bin
Introduced through: glibc/libc-bin@2.41-12 and glibc/libc6@2.41-12

Detailed paths

Introduced through: python@3-slim › glibc/libc-bin@2.41-12
Introduced through: python@3-slim › glibc/libc6@2.41-12

NVD Description

The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.

Remediation

There is no fixed version for Debian:13 glibc.

References

Resource Management Errors vulnerability report

low severity

Memory Leak

Vulnerable module: sqlite3/libsqlite3-0
Introduced through: sqlite3/libsqlite3-0@3.46.1-7

Detailed paths

Introduced through: python@3-slim › sqlite3/libsqlite3-0@3.46.1-7

NVD Description

Note: Versions mentioned in the description apply only to the upstream sqlite3 package and not the sqlite3 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.

Remediation

There is no fixed version for Debian:13 sqlite3.

References

Memory Leak vulnerability report

low severity

Improper Verification of Cryptographic Signature

Vulnerable module: apt
Introduced through: apt@3.0.3 and apt/libapt-pkg7.0@3.0.3

Detailed paths

Introduced through: python@3-slim › apt@3.0.3
Introduced through: python@3-slim › apt/libapt-pkg7.0@3.0.3

NVD Description

Note: Versions mentioned in the description apply only to the upstream apt package and not the apt package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.

Remediation

There is no fixed version for Debian:13 apt.

References

Improper Verification of Cryptographic Signature vulnerability report

low severity

Out-of-Bounds

Vulnerable module: ncurses/libncursesw6
Introduced through: ncurses/libncursesw6@6.5+20250216-2, ncurses/libtinfo6@6.5+20250216-2 and others

Detailed paths

Introduced through: python@3-slim › ncurses/libncursesw6@6.5+20250216-2
Introduced through: python@3-slim › ncurses/libtinfo6@6.5+20250216-2
Introduced through: python@3-slim › ncurses/ncurses-base@6.5+20250216-2
Introduced through: python@3-slim › ncurses/ncurses-bin@6.5+20250216-2

NVD Description

Note: Versions mentioned in the description apply only to the upstream ncurses package and not the ncurses package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A vulnerability has been found in GNU ncurses up to 6.5-20250322 and classified as problematic. This vulnerability affects the function postprocess_termcap of the file tinfo/parse_entry.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. Upgrading to version 6.5-20250329 is able to address this issue. It is recommended to upgrade the affected component.

Remediation

There is no fixed version for Debian:13 ncurses.

References

Out-of-Bounds vulnerability report

low severity

Link Following

Vulnerable module: perl/perl-base
Introduced through: perl/perl-base@5.40.1-6

Detailed paths

Introduced through: python@3-slim › perl/perl-base@5.40.1-6

NVD Description

Note: Versions mentioned in the description apply only to the upstream perl package and not the perl package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

_is_safe in the File::Temp module for Perl does not properly handle symlinks.

Remediation

There is no fixed version for Debian:13 perl.

References

Link Following vulnerability report

low severity

CVE-2024-56433

Vulnerable module: shadow/login.defs
Introduced through: shadow/login.defs@1:4.17.4-2 and shadow/passwd@1:4.17.4-2

Detailed paths

Introduced through: python@3-slim › shadow/login.defs@1:4.17.4-2
Introduced through: python@3-slim › shadow/passwd@1:4.17.4-2

NVD Description

shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.

Remediation

There is no fixed version for Debian:13 shadow.

References

CVE-2024-56433 vulnerability report

low severity

new

CVE-2025-7709

Vulnerable module: sqlite3/libsqlite3-0
Introduced through: sqlite3/libsqlite3-0@3.46.1-7

Detailed paths

Introduced through: python@3-slim › sqlite3/libsqlite3-0@3.46.1-7

NVD Description

An integer overflow exists in the FTS5 https://sqlite.org/fts5.html extension. It occurs when the size of an array of tombstone pointers is calculated and truncated into a 32-bit integer. A pointer to partially controlled data can then be written out of bounds.

Remediation

There is no fixed version for Debian:13 sqlite3.

References

CVE-2025-7709 vulnerability report

Vulnerabilities

Dependencies

Source

Target OS

low severity

Out-of-Bounds

Detailed paths

NVD Description

Remediation

References

low severity

CVE-2005-2541

Detailed paths

NVD Description

Remediation

References

low severity

CVE-2019-1010023

Detailed paths

NVD Description

Remediation

References

low severity

Uncontrolled Recursion

Detailed paths

NVD Description

Remediation

References

low severity

Uncontrolled Recursion

Detailed paths

NVD Description

Remediation

References

low severity

Access Restriction Bypass

Detailed paths

NVD Description

Remediation

References

low severity

Information Exposure

Detailed paths

NVD Description

Remediation

References

low severity

Information Exposure

Detailed paths

NVD Description

Remediation

References

low severity

Use of Insufficiently Random Values

Detailed paths

NVD Description

Remediation

References

low severity

Improper Validation of Integrity Check Value

Detailed paths

NVD Description

Remediation

References

low severity

Improper Validation of Integrity Check Value

Detailed paths

NVD Description

Remediation

References

low severity

Improper Validation of Integrity Check Value

Detailed paths

NVD Description

Remediation

References

low severity

Race Condition

Detailed paths

NVD Description

low severity

new