Skip to content

Security: temporal/admin-tools image bundles EOL Python 2.7 runtime with multiple vulnerable packages #1108

Description

@vidhya03

Summary

The temporal/admin-tools Docker image bundles a Python 2.7.18 runtime that reached end-of-life in January 2020. Because the runtime itself is unsupported, the packages installed under it (pip, setuptools, wheel, thrift, click) accumulate CVEs with no upstream patches available.

Security scanning flags 6 vulnerable Python packages with a combined total of 40+ CVEs, the majority rated High severity.

None of these appear to have been previously reported in this repository.


Affected artifact

Field Value
Image temporal/admin-tools
Python path /usr/lib/python2.7/
Python version 2.7.18 (EOL Jan 2020)

Vulnerability Details

Package Vulnerable Version Severity CVE(s)
python (runtime) 2.7.18 High CVE-2021-23336, CVE-2021-3733, CVE-2022-0391, CVE-2022-45061, CVE-2022-48560, CVE-2022-48564, CVE-2022-48565, CVE-2022-48566, CVE-2023-24329, CVE-2023-27043, CVE-2023-40217, CVE-2024-6232, CVE-2024-7592, CVE-2024-9287, CVE-2025-12084, CVE-2025-12781, CVE-2025-13836, CVE-2025-13837, CVE-2025-6075, CVE-2026-3644, CVE-2026-4224, CVE-2026-4519, CVE-2026-6019, CVE-2026-7210
thrift 0.13.0 High CVE-2020-13949, CVE-2025-48431, CVE-2026-41603, CVE-2026-41604, CVE-2026-41605, CVE-2026-41606, CVE-2026-41607, CVE-2026-43868, CVE-2026-43869, CVE-2026-43870
pip 20.3.4 High CVE-2021-3572, CVE-2023-5752, CVE-2025-8869, CVE-2026-1703, CVE-2026-3219, CVE-2026-6357, CVE-2026-8643
setuptools 44.1.1 High CVE-2022-40897, CVE-2024-6345, CVE-2025-47273
wheel 0.36.2 High CVE-2022-40898
click 7.1.2 Low PRISMA-2021-0020

Root Cause

Python 2.7 is end-of-life and receives no security patches. Any package installed on this runtime will accumulate CVEs indefinitely. The individual package upgrades are not actionable — the runtime itself must be replaced.


Suggested Fix

Remove Python 2.7 from the temporal/admin-tools image entirely.

  • If Python tooling is required at runtime, replace with Python 3.12+ and re-pin dependencies to their latest secure versions.
  • If Python is only used during build/provisioning, move it to a multi-stage build step so it does not appear in the final image.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions