CVE Details
| CVE ID |
Severity |
Affected Package |
Installed Version |
Fixed Version |
Date Published |
Date of Scan |
| CVE-2026-3644 |
MEDIUM |
python |
2.7.18-1.amzn2.0.16 |
2.7.18-1.amzn2.0.17 |
2026-03-16T18:16:09.907Z |
2026-04-02T10:18:25.532960567Z |
Affected Docker Images
| Image Name |
SHA |
public.ecr.aws/lambda/provided:al2 |
public.ecr.aws/lambda/provided@sha256:5e6b56637a7abad385662cd5affe8ec926a90eaefbdeae760e473bdfaeedc002 |
public.ecr.aws/lambda/python:3.11 |
public.ecr.aws/lambda/python@sha256:0e35f30be7b0781161a74fb8388a89e8db5ac8139b9fe6690f98dc8198f66aa6 |
public.ecr.aws/lambda/python:3.10 |
public.ecr.aws/lambda/python@sha256:f96eafce8c54e12eb61f079526b278f107fc597fb071d273dfba9e8c7480f924 |
public.ecr.aws/lambda/java:17 |
public.ecr.aws/lambda/java@sha256:d4c578801fd44cfc7efbb470b7bae18ef4d075b5e92c62d6b05871f1dcf9fdf1 |
public.ecr.aws/lambda/java:11 |
public.ecr.aws/lambda/java@sha256:49bb585aebdbe227ec82c7bca06719a2f47da57456ca38b6d190532adafc0648 |
public.ecr.aws/lambda/java:8.al2 |
public.ecr.aws/lambda/java@sha256:c0638e38733cf99f39231990dde3b110397f533697c654a7675a01adf4ed1898 |
public.ecr.aws/lambda/ruby:3.2 |
public.ecr.aws/lambda/ruby@sha256:4d4dbf993a9532c75ce810ad1653f059ccf566debcd0b3c9df431b701fb2fb83 |
Description
The fix for CVE-2026-0672, which rejected control characters in http.cookies.Morsel, was incomplete. The Morsel.update(), |= operator, and unpickling paths were not patched, allowing control characters to bypass input validation. Additionally, BaseCookie.js_output() lacked the output validation applied to BaseCookie.output().
Remediation Steps
- Update the affected package
python from version 2.7.18-1.amzn2.0.16 to 2.7.18-1.amzn2.0.17.
About this issue
- This issue may not contain all the information about the CVE nor the images it affects.
- This issue will not be updated with new information and the list of affected images may have changed since the creation of this issue.
- For more, visit Lambda Watchdog.
- This issue was created automatically by Lambda Watchdog.
CVE Details
MEDIUMpython2.7.18-1.amzn2.0.162.7.18-1.amzn2.0.172026-03-16T18:16:09.907Z2026-04-02T10:18:25.532960567ZAffected Docker Images
public.ecr.aws/lambda/provided:al2public.ecr.aws/lambda/provided@sha256:5e6b56637a7abad385662cd5affe8ec926a90eaefbdeae760e473bdfaeedc002public.ecr.aws/lambda/python:3.11public.ecr.aws/lambda/python@sha256:0e35f30be7b0781161a74fb8388a89e8db5ac8139b9fe6690f98dc8198f66aa6public.ecr.aws/lambda/python:3.10public.ecr.aws/lambda/python@sha256:f96eafce8c54e12eb61f079526b278f107fc597fb071d273dfba9e8c7480f924public.ecr.aws/lambda/java:17public.ecr.aws/lambda/java@sha256:d4c578801fd44cfc7efbb470b7bae18ef4d075b5e92c62d6b05871f1dcf9fdf1public.ecr.aws/lambda/java:11public.ecr.aws/lambda/java@sha256:49bb585aebdbe227ec82c7bca06719a2f47da57456ca38b6d190532adafc0648public.ecr.aws/lambda/java:8.al2public.ecr.aws/lambda/java@sha256:c0638e38733cf99f39231990dde3b110397f533697c654a7675a01adf4ed1898public.ecr.aws/lambda/ruby:3.2public.ecr.aws/lambda/ruby@sha256:4d4dbf993a9532c75ce810ad1653f059ccf566debcd0b3c9df431b701fb2fb83Description
Remediation Steps
pythonfrom version2.7.18-1.amzn2.0.16to2.7.18-1.amzn2.0.17.About this issue