CVE-2024-6345 (HIGH): detected in Lambda Docker Images.

[the-lambda-watchdog]

CVE Details

CVE ID	Severity	Affected Package	Installed Version	Fixed Version	Date Published	Date of Scan
CVE-2024-6345	HIGH	setuptools	65.5.0	70.0.0	2024-07-15T01:15:01.73Z	2025-06-23T10:18:45.486353547Z

---

Affected Docker Images

Image Name	SHA
public.ecr.aws/lambda/python:3.11	public.ecr.aws/lambda/python@sha256:759fbc2f7568156874aa6eb0ddce083a242f78104927edfb17e7f3fcd3caf420
public.ecr.aws/lambda/python:3.10	public.ecr.aws/lambda/python@sha256:bdd42e632d7f0ff456a7a9d72818ab9f6c7e7b82230dc95477c3f6361da2bc34
public.ecr.aws/lambda/python:3.9	public.ecr.aws/lambda/python@sha256:a7cce2f593062bf9cf249459077f728d0f5d7f7f1565bc7a89b4f2227e233789

---

Description

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

---

Remediation Steps

• Update the affected package setuptools from version 65.5.0 to 70.0.0.

About this issue

• This issue may not contain all the information about the CVE nor the images it affects.
• This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
• For more, visit Lambda Watchdog.
• This issue was created automatically by Lambda Watchdog.

[the-lambda-watchdog]

The vulnerability is no longer present in the latest Lambda Watchdog scans. Marking the issue as closed. 🤖