Summary
The temporal/admin-tools Docker image bundles a Python 2.7.18 runtime that reached end-of-life in January 2020. Because the runtime itself is unsupported, the packages installed under it (pip, setuptools, wheel, thrift, click) accumulate CVEs with no upstream patches available.
Security scanning flags 6 vulnerable Python packages with a combined total of 40+ CVEs, the majority rated High severity.
None of these appear to have been previously reported in this repository.
Affected artifact
| Field |
Value |
| Image |
temporal/admin-tools |
| Python path |
/usr/lib/python2.7/ |
| Python version |
2.7.18 (EOL Jan 2020) |
Vulnerability Details
| Package |
Vulnerable Version |
Severity |
CVE(s) |
python (runtime) |
2.7.18 |
High |
CVE-2021-23336, CVE-2021-3733, CVE-2022-0391, CVE-2022-45061, CVE-2022-48560, CVE-2022-48564, CVE-2022-48565, CVE-2022-48566, CVE-2023-24329, CVE-2023-27043, CVE-2023-40217, CVE-2024-6232, CVE-2024-7592, CVE-2024-9287, CVE-2025-12084, CVE-2025-12781, CVE-2025-13836, CVE-2025-13837, CVE-2025-6075, CVE-2026-3644, CVE-2026-4224, CVE-2026-4519, CVE-2026-6019, CVE-2026-7210 |
thrift |
0.13.0 |
High |
CVE-2020-13949, CVE-2025-48431, CVE-2026-41603, CVE-2026-41604, CVE-2026-41605, CVE-2026-41606, CVE-2026-41607, CVE-2026-43868, CVE-2026-43869, CVE-2026-43870 |
pip |
20.3.4 |
High |
CVE-2021-3572, CVE-2023-5752, CVE-2025-8869, CVE-2026-1703, CVE-2026-3219, CVE-2026-6357, CVE-2026-8643 |
setuptools |
44.1.1 |
High |
CVE-2022-40897, CVE-2024-6345, CVE-2025-47273 |
wheel |
0.36.2 |
High |
CVE-2022-40898 |
click |
7.1.2 |
Low |
PRISMA-2021-0020 |
Root Cause
Python 2.7 is end-of-life and receives no security patches. Any package installed on this runtime will accumulate CVEs indefinitely. The individual package upgrades are not actionable — the runtime itself must be replaced.
Suggested Fix
Remove Python 2.7 from the temporal/admin-tools image entirely.
- If Python tooling is required at runtime, replace with Python 3.12+ and re-pin dependencies to their latest secure versions.
- If Python is only used during build/provisioning, move it to a multi-stage build step so it does not appear in the final image.
References
Summary
The
temporal/admin-toolsDocker image bundles a Python 2.7.18 runtime that reached end-of-life in January 2020. Because the runtime itself is unsupported, the packages installed under it (pip,setuptools,wheel,thrift,click) accumulate CVEs with no upstream patches available.Security scanning flags 6 vulnerable Python packages with a combined total of 40+ CVEs, the majority rated High severity.
None of these appear to have been previously reported in this repository.
Affected artifact
temporal/admin-tools/usr/lib/python2.7/2.7.18(EOL Jan 2020)Vulnerability Details
python(runtime)2.7.18thrift0.13.0pip20.3.4setuptools44.1.1wheel0.36.2click7.1.2Root Cause
Python 2.7 is end-of-life and receives no security patches. Any package installed on this runtime will accumulate CVEs indefinitely. The individual package upgrades are not actionable — the runtime itself must be replaced.
Suggested Fix
Remove Python 2.7 from the
temporal/admin-toolsimage entirely.References