Alpine: multiple pyc packages: security update to 3.11.13-r0

critical Tenable Self-Hosted Container Security Plugin ID 427847

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Allows modifying some file metadata (e.g. last modified) with filter="data" or file permissions (chmod)
with filter="tar" of files outside the extraction directory. You are affected by this vulnerability if
using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract()
using the filter= parameter with a value of "data" or "tar". See the tarfile extraction filters
documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more
information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions
don't include the extraction filter feature. Note that for Python 3.14 or later the default value of
filter= changed from "no filtering" to `"data", so if you are relying on this new default behavior then
your usage is also affected. Note that none of these vulnerabilities significantly affect the installation
of source distributions which are tar archives as source distributions already allow arbitrary code
execution during the build process. However when evaluating source distributions it's important to avoid
installing source distributions with suspicious links. (CVE-2024-12718)

- Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination
directory, and the modification of some file metadata. You are affected by this vulnerability if using the
tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the
filter= parameter with a value of "data" or "tar". See the tarfile extraction filters documentation
https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Note that
for Python 3.14 or later the default value of filter= changed from "no filtering" to `"data", so if you
are relying on this new default behavior then your usage is also affected. Note that none of these
vulnerabilities significantly affect the installation of source distributions which are tar archives as
source distributions already allow arbitrary code execution during the build process. However when
evaluating source distributions it's important to avoid installing source distributions with suspicious
links. (CVE-2025-4138, CVE-2025-4330)

- Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data".
You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using
TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of "data" or "tar". See
the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-
extraction-filter for more information. Note that for Python 3.14 or later the default value of filter=
changed from "no filtering" to `"data", so if you are relying on this new default behavior then your usage
is also affected. Note that none of these vulnerabilities significantly affect the installation of source
distributions which are tar archives as source distributions already allow arbitrary code execution during
the build process. However when evaluating source distributions it's important to avoid installing source
distributions with suspicious links. (CVE-2025-4517)

See Also

https://security.alpinelinux.org/vuln/CVE-2024-12718

https://security.alpinelinux.org/vuln/CVE-2025-4138

https://security.alpinelinux.org/vuln/CVE-2025-4330

https://security.alpinelinux.org/vuln/CVE-2025-4517

Plugin Details

Severity: Critical

ID: 427847

Version: Revision 1.10

Type: Local

Published: 6/9/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.3

Percentile: 98.45

CVSS v2

Risk Factor: High

Base Score: 9.7

Temporal Score: 7.6

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:P

CVSS Score Source: CVE-2025-4517

CVSS v3

Risk Factor: Critical

Base Score: 9.4

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 10

Threat Score: 9.3

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVSS Score Source: CVE-2024-12718

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 6/3/2025

Reference Information

CVE: CVE-2024-12718, CVE-2025-4138, CVE-2025-4330, CVE-2025-4517