AWS Inspector reports HIgh vulnerbility in examples/pipenv.lock #6342
Description
Be sure to check the existing issues (both open and closed!), and make sure you are running the latest version of Pipenv.
Check the diagnose documentation for common issues before posting! We may close your issue if it is very similar to one of them. Please be considerate, or be on your way.
Make sure to mention your debugging experience if the documented solution failed.
Issue description
AWS Inspector run returns High severity finding on builds with pipenv for examples/pipenv.lock. The file's example data leads to reporting of high severity vulnerability, breaking our product pipelines.
Expected result
No issues
Actual result
Report fragment:
{
"SchemaVersion": "2018-10-08",
"ProductArn": "arn:aws:securityhub:us-east-1::product/aws/inspector",
"ProductName": "Inspector",
"CompanyName": "Amazon",
"Region": "us-east-1",
"GeneratorId": "AWSInspector",
"Types": [
"Software and Configuration Checks/Vulnerabilities/CVE"
],
"FirstObservedAt": "2025-01-28T15:27:08.842Z",
"LastObservedAt": "2025-02-04T08:12:52.044Z",
"CreatedAt": "2025-01-28T15:27:08.842Z",
"UpdatedAt": "2025-02-04T08:12:52.044Z",
"Severity": {
"Label": "HIGH",
"Normalized": 70
},
"Title": "CVE-2024-3651 - idna",
"Description": "A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.",
"Remediation": {
"Recommendation": {
"Text": "Remediation is available. Please refer to the Fixed version in the vulnerability details section above.For detailed remediation guidance for each of the affected packages, refer to the vulnerabilities section of the detailed finding JSON."
}
},
"ProductFields": {
"aws/inspector/ProductVersion": "2",
"aws/inspector/FindingStatus": "ACTIVE",
"aws/inspector/inspectorScore": "7.5",
"aws/inspector/resources/1/resourceDetails/awsEcrContainerImageDetails/platform": "DEBIAN_12",
"aws/inspector/packageVulnerabilityDetails/vulnerablePackages/sourceLayerHashes": "sha256:2afed5f3dce86d2b6d5c99c72109e30528fe90b39fcad341d3b9a9232b5089bb",
"aws/securityhub/FindingId": "arn:aws:securityhub:us-east-1::product/aws/inspector/arn:aws:inspector2:us-east-1:588145730505:finding/8ebe3faa369f1f162815e6f6ef46ebc9",
"aws/securityhub/ProductName": "Inspector",
"aws/securityhub/CompanyName": "Amazon"
},
"Resources": [
{
"Type": "AwsEcrContainerImage",
"Partition": "aws",
"Region": "us-east-1",
],
"WorkflowState": "NEW",
"Workflow": {
"Status": "NEW"
},
"RecordState": "ACTIVE",
"Vulnerabilities": [
{
"Id": "CVE-2024-3651",
"VulnerablePackages": [
{
"Name": "idna",
"Version": "3.4",
"Epoch": "0",
"PackageManager": "PYTHON",
"FilePath": "usr/local/lib/python3.11/site-packages/examples/Pipfile.lock",
"FixedInVersion": "3.7",
"SourceLayerHash": "sha256:2afed5f3dce86d2b6d5c99c72109e30528fe90b39fcad341d3b9a9232b5089bb"
}
],
"Cvss": [
{
"Version": "3.1",
"BaseScore": 7.5,
"BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"Source": "NVD"
},
{
"Version": "3.1",
"BaseScore": 7.5,
"BaseVector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"Source": "NVD"
}
],
"Vendor": {
"Name": "NVD",
"Url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3651",
"VendorSeverity": "HIGH",
"VendorCreatedAt": "2024-07-07T18:15:09.000Z",
"VendorUpdatedAt": "2024-11-21T09:30:05.000Z"
},
"ReferenceUrls": [
"https://nvd.nist.gov/vuln/detail/CVE-2024-3651"
],
"FixAvailable": "YES",
"EpssScore": 0.00046,
"ExploitAvailable": "NO"
}
],
"FindingProviderFields": {
"Severity": {
"Label": "HIGH"
},
"Types": [
"Software and Configuration Checks/Vulnerabilities/CVE"
]
},
"ProcessedAt": "2025-02-04T08:13:04.254Z"
}
Steps to replicate
The mentioned above is a result of automated job run.