CVE-2025-0167 (MEDIUM): detected in Lambda Docker Images. #369
Description
CVE Details
| CVE ID | Severity | Affected Package | Installed Version | Fixed Version | Date Published | Date of Scan |
|---|---|---|---|---|---|---|
| CVE-2025-0167 | MEDIUM |
curl-minimal |
8.11.1-4.amzn2023.0.1 |
8.15.0-4.amzn2023.0.1 |
2025-02-05T10:15:22.71Z |
2026-01-08T10:18:24.928848896Z |
Affected Docker Images
| Image Name | SHA |
|---|---|
public.ecr.aws/lambda/provided:latest |
public.ecr.aws/lambda/provided@sha256:eb9e9e4a729d9b196467f8728f0a22530b38de43ec0b9b233414a1d668b0e4cd |
public.ecr.aws/lambda/provided:al2023 |
public.ecr.aws/lambda/provided@sha256:eb9e9e4a729d9b196467f8728f0a22530b38de43ec0b9b233414a1d668b0e4cd |
public.ecr.aws/lambda/python:latest |
public.ecr.aws/lambda/python@sha256:da91b03913bc525dbee8755fac06469337038504769f1167be2951d8444e2b13 |
public.ecr.aws/lambda/python:3.14 |
public.ecr.aws/lambda/python@sha256:834867e65287508faae9d0706181e3e5c72fe8d9b99319c6ab1096ce1494c4a4 |
public.ecr.aws/lambda/python:3.13 |
public.ecr.aws/lambda/python@sha256:da91b03913bc525dbee8755fac06469337038504769f1167be2951d8444e2b13 |
public.ecr.aws/lambda/python:3.12 |
public.ecr.aws/lambda/python@sha256:16139e0db9a15234bcb2956bc8e4fa41eb8529af3f78f3eaba4aa9ce987f2f68 |
public.ecr.aws/lambda/nodejs:latest |
public.ecr.aws/lambda/nodejs@sha256:7c0f198924ea29e201d4d44ffc8f97c6ec7be3bf7b91c848939e5c2eeff6d43c |
public.ecr.aws/lambda/nodejs:24 |
public.ecr.aws/lambda/nodejs@sha256:9d7dcad6de2f4bb85f65af1d70d14c936c671b0541a49566a2b5d3db51195b03 |
public.ecr.aws/lambda/nodejs:22 |
public.ecr.aws/lambda/nodejs@sha256:7c0f198924ea29e201d4d44ffc8f97c6ec7be3bf7b91c848939e5c2eeff6d43c |
public.ecr.aws/lambda/nodejs:20 |
public.ecr.aws/lambda/nodejs@sha256:c9db858f1061d1662d081a7d3fe30e1c9cf8dd4eb658f60ab34cc8ebe8f939a0 |
public.ecr.aws/lambda/java:latest |
public.ecr.aws/lambda/java@sha256:a9b13203dc78d1350ba83eb376eb2513967cbd50e66e8149e49bacc54963b7da |
public.ecr.aws/lambda/java:25 |
public.ecr.aws/lambda/java@sha256:a4121f47bd5eb241f5eaaa1d45fcb7b6f36ad81e100001185c9aa82f5a675933 |
public.ecr.aws/lambda/java:21 |
public.ecr.aws/lambda/java@sha256:a9b13203dc78d1350ba83eb376eb2513967cbd50e66e8149e49bacc54963b7da |
public.ecr.aws/lambda/dotnet:latest |
public.ecr.aws/lambda/dotnet@sha256:c52688e51efa796c3222e8be649c1e5449f0ed3d48f2d90066907fd93655dc42 |
public.ecr.aws/lambda/dotnet:10-preview |
public.ecr.aws/lambda/dotnet@sha256:584834e1d9e0b7bb96216f1483ae7e96bb544d75d8d4274bdbdbd0b16e3747ff |
public.ecr.aws/lambda/dotnet:9 |
public.ecr.aws/lambda/dotnet@sha256:c52688e51efa796c3222e8be649c1e5449f0ed3d48f2d90066907fd93655dc42 |
public.ecr.aws/lambda/dotnet:8 |
public.ecr.aws/lambda/dotnet@sha256:306213c3a793ff21989d715e3cecd9a7e81e2e23c577b2ffac5607a3d507c948 |
public.ecr.aws/lambda/ruby:latest |
public.ecr.aws/lambda/ruby@sha256:1c313b72d044bdb893cad3f22c0008b6a7caaf35bc80f5e2db6537f626bdf505 |
public.ecr.aws/lambda/ruby:3.4 |
public.ecr.aws/lambda/ruby@sha256:1c313b72d044bdb893cad3f22c0008b6a7caaf35bc80f5e2db6537f626bdf505 |
public.ecr.aws/lambda/ruby:3.3 |
public.ecr.aws/lambda/ruby@sha256:638473bcb8bf04bc78fcf5d3274f59145eb030c8b159fe4a9ffcb459f3454f2c |
Description
When asked to use a
.netrcfile for credentials and to follow HTTP
redirects, curl could leak the password used for the first host to the
followed-to host under certain circumstances.
This flaw only manifests itself if the netrc file has a default entry that
omits both login and password. A rare circumstance.
Remediation Steps
- Update the affected package
curl-minimalfrom version8.11.1-4.amzn2023.0.1to8.15.0-4.amzn2023.0.1.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.