[Snyk] Security upgrade python from 3.8 to 3.13.3

[vieiraamanda]

Snyk has created this PR to fix 2 vulnerabilities in the dockerfile dependencies of this project.

Keeping your Docker base image up-to-date means you’ll benefit from security fixes in the latest version of your chosen image.

Snyk changed the following file(s):

• Dockerfile

We recommend upgrading to python:3.13.3, as this image has only 204 known vulnerabilities. To do this, merge this pull request, then verify your application still works as expected.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Inappropriate Encoding for Output Context SNYK-DEBIAN12-OPENSSH-1556053	295
	OS Command Injection SNYK-DEBIAN12-IMAGEMAGICK-5660573	256
	OS Command Injection SNYK-DEBIAN12-IMAGEMAGICK-5660573	256
	OS Command Injection SNYK-DEBIAN12-IMAGEMAGICK-5660573	256
	OS Command Injection SNYK-DEBIAN12-IMAGEMAGICK-5660573	256

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 OS Command Injection

[msant262]

Checkmarx One – Scan Summary & Details – 11d29d58-510f-4374-ac6c-f948b65fdf58

New Issues (43)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	Missing User Instruction	/Dockerfile: 1	details A user should be specified in the dockerfile, otherwise the image will run as root ID: l%2BjXWK7FAv3yAaBNwyM%2B%2BAkGP9c%3D
	Missing User Instruction	/Dockerfile: 1	details A user should be specified in the dockerfile, otherwise the image will run as root ID: E60VfuXdEmzu36v1WAMa4yvtPLQ%3D
	Passwords And Secrets - Generic Password	/docker-compose.yml: 11	details Query to find passwords and secrets in infrastructure code. ID: V8AVMn8%2FoaddYde7YLHKWRCvPdg%3D
	Passwords And Secrets - Generic Secret	/teste_appscan.yml: 17	details Query to find passwords and secrets in infrastructure code. ID: ecwW1SCO5h3wdQn6xlTtH6F4Tsw%3D
	Apt Get Install Pin Version Not Defined	/Dockerfile: 5	details When installing a package, its pin version should be defined ID: oSU%2B3STagtVtSZQ4qlb3hjVbxQs%3D
	Apt Get Install Pin Version Not Defined	/Dockerfile: 5	details When installing a package, its pin version should be defined ID: fsm14vG2JXWj3EM9MOraEo6xYzM%3D
	Apt Get Install Pin Version Not Defined	/Dockerfile: 8	details When installing a package, its pin version should be defined ID: s5dw367xPzI9EDJsY94Gs%2BkwdnE%3D
	Apt Get Install Pin Version Not Defined	/Dockerfile: 5	details When installing a package, its pin version should be defined ID: qAPdKq6s9kcxPyUxE97p5%2BtRXUA%3D
	Container Capabilities Unrestricted	/docker-compose.yml: 14	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa... ID: YMDdiX99qe26NH6DUkTpzUZioDg%3D
	Container Capabilities Unrestricted	/docker-compose.yml: 4	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa... ID: NGSkwrNJEwraW3QQ412ZSmCGA8g%3D
	Container Capabilities Unrestricted	/docker-compose.yml: 2	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa... ID: 3I7jXnLhrx%2BqHLQNBOIsmML8t%2F4%3D
	Container Capabilities Unrestricted	/docker-compose.yml: 12	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa... ID: gP%2F%2BfqNkZPyOqQAl0K%2FUbowMbuY%3D
	Container Capabilities Unrestricted	/docker-compose.yml: 23	details Some capabilities are not needed in certain (or any) containers. Make sure that you only add capabilities that your container needs. Drop unnecessa... ID: A5OKucrLyUyytKqzlnG%2FENfj%2FOo%3D
	Container Traffic Not Bound To Host Interface	/docker-compose.yml: 6	details Incoming container traffic should be bound to a specific host interface ID: Izr8mKlP7kboqARhEtoDYfL6AB8%3D
	Container Traffic Not Bound To Host Interface	/docker-compose.yml: 16	details Incoming container traffic should be bound to a specific host interface ID: M72Rs3WU8T2L5K%2Fpqz7hNi%2Fc%2F4A%3D
	Healthcheck Not Set	/docker-compose.yml: 12	details Check containers periodically to see if they are running properly. ID: LLoY5ia4KoXmMvZMAth1f11wEKc%3D
	Healthcheck Not Set	/docker-compose.yml: 2	details Check containers periodically to see if they are running properly. ID: yZeqNyVsXZaEBnhDH69y3pVzj6E%3D
	Healthcheck Not Set	/docker-compose.yml: 23	details Check containers periodically to see if they are running properly. ID: y8LfUkosBcLy78n%2B0TNKgDbCtBA%3D
	Healthcheck Not Set	/docker-compose.yml: 14	details Check containers periodically to see if they are running properly. ID: W9kY9jpfVAY7LiO4mlzrtjU5WHs%3D
	Healthcheck Not Set	/docker-compose.yml: 4	details Check containers periodically to see if they are running properly. ID: RkxATa9v7hACBgyka5eSvvGiG08%3D
	Memory Not Limited	/docker-compose.yml: 12	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t... ID: RYkCpRgZQ5uMv73t15FSa6rlhFo%3D
	Memory Not Limited	/docker-compose.yml: 4	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t... ID: mGcZDeCNavannD1WuJ1mv4qNkoE%3D
	Memory Not Limited	/docker-compose.yml: 23	details Memory limits should be defined for each container. This prevents potential resource exhaustion by ensuring that containers consume not more than t... ID: %2Bv2K%2FOPSWsd1pxX4%2FxzM2csqiYo%3D
	Security Opt Not Set	/docker-compose.yml: 12	details Attribute 'security_opt' should be defined. ID: oUc8m%2BoLYv3DH2oyaGpJucc8NZ8%3D
	Security Opt Not Set	/docker-compose.yml: 4	details Attribute 'security_opt' should be defined. ID: MCrG6ZI%2F8g8l8bDS5VRG6fGS3Mo%3D
	Security Opt Not Set	/docker-compose.yml: 23	details Attribute 'security_opt' should be defined. ID: aS1xfCR328sx%2B1Cc54XulT5qCgQ%3D
	Security Opt Not Set	/docker-compose.yml: 2	details Attribute 'security_opt' should be defined. ID: LfrGadfcFaMKhZ0ZNvqarWtoNis%3D
	Security Opt Not Set	/docker-compose.yml: 14	details Attribute 'security_opt' should be defined. ID: SWjK3q2wfJn5C8fJVElzaR7AxLc%3D
	Unpinned Package Version in Pip Install	/Dockerfile: 20	details Package version pinning reduces the range of versions that can be installed, reducing the chances of failure due to unanticipated changes ID: IA%2Fv%2FiK1LjRxfNj12spqF97EK5k%3D
	Cpus Not Limited	/docker-compose.yml: 4	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests ID: LYQFYqe8k%2Bg9%2FmSfoMEEunitbdU%3D
	Cpus Not Limited	/docker-compose.yml: 12	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests ID: VBPzm2SggskXoaNfCrkxWcBuUXg%3D
	Cpus Not Limited	/docker-compose.yml: 23	details CPU limits should be set because if the system has CPU time free, a container is guaranteed to be allocated as much CPU as it requests ID: J%2BPs0ff8aualK4n%2Fv6Mr3kFK%2Fpo%3D
	Healthcheck Instruction Missing	/Dockerfile: 1	details Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working ID: 805LiShyQB4W8XAONe7CRVSvUH0%3D
	Healthcheck Instruction Missing	/Dockerfile: 1	details Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working ID: IpeMSEmUp34b74o%2Baua40zTxTOc%3D
	Multiple RUN, ADD, COPY, Instructions Listed	/Dockerfile: 9	details Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. ID: pSXNcF%2BIgTo0DE2Z02Qbk5ayMGc%3D
	Multiple RUN, ADD, COPY, Instructions Listed	/Dockerfile: 7	details Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. ID: pPiQu6LxgyuP9ov5ctsbzTqtNBk%3D
	Pip install Keeping Cached Packages	/Dockerfile: 14	details When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller ID: EiUk2gdEDk%2BGGf3QbNZPL6rvrwg%3D
	Pip install Keeping Cached Packages	/Dockerfile: 9	details When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller ID: 6M0YLnjTRL9CI4881rYGhfWZbk4%3D
	Pip install Keeping Cached Packages	/Dockerfile: 20	details When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller ID: Tke%2BGe3KVJ4C1lqwwjr7yMs2zq4%3D
	Pip install Keeping Cached Packages	/Dockerfile: 23	details When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller ID: jAISApa31%2FpYw%2B6l%2BbWgqD8YSfA%3D
	Unpinned Actions Full Length Commit SHA	/main.yml: 13	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... ID: OlP4VuCso%2Bc62lmN05RdrBh00v4%3D
	Unpinned Actions Full Length Commit SHA	/teste_appscan.yml: 14	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... ID: 8aU5F3QD2MLDQj8q9nQ9WPVjiOw%3D
	Update Instruction Alone	/Dockerfile: 8	details Instruction 'RUN update' should always be followed by ' install' in the same RUN statement ID: bjkyAChuafG%2FJo8%2FX37Gi%2FMBJRw%3D

Fixed Issues (7)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2024-53908	Python-Django-5.1.3
	CVE-2024-53907	Python-Django-5.1.3
	CVE-2024-56201	Python-Jinja2-3.1.4
	CVE-2024-56326	Python-Jinja2-3.1.4
	CVE-2024-56374	Python-Django-5.1.3
	CVE-2025-26699	Python-Django-5.1.3
	CVE-2025-27516	Python-Jinja2-3.1.4

[PauloNova8]

Checkmarx One – Scan Summary & Details – df33d382-62c0-4628-8221-7f8a9bf01ecf

New Issues (18)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2023-5457	Python-Django-5.2	details Description: A CWE-1269 "Product Released in Non-Release Configuration" vulnerability in the Django web framework used by the web application (due to the "debug... Attack Vector: NETWORK Attack Complexity: LOW ID: 3%2Bu0VRvFkKqs6%2F9iycr%2F4LgpLM230sdM3hw%2BF0Mtcvw%3D Vulnerable Package
	CVE-2024-4340	Python-sqlparse-0.3.1	details Recommended version: 0.5.0 Description: The package sqlparse versions prior to 0.5.0 are vulnerable to Denial of Service (DoS). This vulnerability occurs when a heavily nested list is pas... Attack Vector: NETWORK Attack Complexity: LOW ID: crn31hL1jLIyqA6aiLhm3l7n4YWoPuodHXiHKBR1LI8%3D Vulnerable Package
	Cx89a94f30-7a24	Python-sqlparse-0.3.1	details Recommended version: 0.5.0 Description: In sqlparse versions prior to 0.5.0, passing a heavily nested list to "sqlparse.parse()" leads to a Denial of Service (DOS) attack due to "Recursio... Attack Vector: NETWORK Attack Complexity: LOW ID: Hek7DR%2FsiR6VwL%2FSG%2FUgv%2BDXUoZue04hrZ6DG5%2B3TwY%3D Vulnerable Package
	Deserialization_of_Untrusted_Data	/pygoat/introduction/views.py: 405	details The serialized object FILES processed in  in the file /pygoat/introduction/views.py at line 405 is deserialized by load in the file /pygoat/introdu... ID: kCbvDhp3HvvFDR0zm8iXv1qcSQc%3D Attack Vector
	Missing User Instruction	/Dockerfile: 1	details A user should be specified in the dockerfile, otherwise the image will run as root ID: E60VfuXdEmzu36v1WAMa4yvtPLQ%3D
	Apt Get Install Pin Version Not Defined	/Dockerfile: 8	details When installing a package, its pin version should be defined ID: s5dw367xPzI9EDJsY94Gs%2BkwdnE%3D
	Command_Argument_Injection	/pygoat/introduction/views.py: 300	details An argument is passed to an external OS command by check_output at /pygoat/introduction/views.py in line 312. This could allow an attacker to attac... ID: vbc%2B2ncQoxHTaVGqHmwoE3Fuhg0%3D Attack Vector
	Django_Missing_Function_Level_Authorization	/pygoat/introduction/views.py: 341	details Line 341 flags a method or annotation that could be a potential unauthorized access to object available in the corresponding controller. This quer... ID: ZK89w9aw0Gn%2Bu%2BozOLcGddl9j6k%3D Attack Vector
	Django_Missing_Function_Level_Authorization	/pygoat/introduction/views.py: 230	details Line 230 flags a method or annotation that could be a potential unauthorized access to object available in the corresponding controller. This quer... ID: D2%2FFex4Ylp5VtppBhD8UMS9SHwM%3D Attack Vector
	Django_Missing_Function_Level_Authorization	/pygoat/introduction/views.py: 202	details Line 202 flags a method or annotation that could be a potential unauthorized access to object available in the corresponding controller. This quer... ID: kyIy%2F0RRmGE6OJBzSiUlLYTHE%2FE%3D Attack Vector
	Django_Missing_Function_Level_Authorization	/pygoat/introduction/views.py: 182	details Line 182 flags a method or annotation that could be a potential unauthorized access to object available in the corresponding controller. This quer... ID: 4HHH4MwWu8rdfVnAD8j0UYA%2FCLM%3D Attack Vector
	Secure_Cookie_Flag_Not_Set_In_Config	/pygoat/introduction/views.py: 119	details A cookie was generated and sent to the client in file /pygoat/introduction/views.py in line 119, secure attribute is missing. A cookie without a se... ID: P%2FppiHx0Z5F5WBY4t%2B2VVf9SdRE%3D Attack Vector
	Use_Of_Hardcoded_Password	/pygoat/pygoat/settings.py: 25	details The application uses the hard-coded password "lr66%-a!$km5ed@n5ug!tya5bv!0(yqwa1tn!q%0%3m2nh%oml" for authentication purposes, either using it to v... ID: tP53b%2FEPYW25bk%2F5kjGZyU0FJYc%3D Attack Vector
	Use_Of_Hardcoded_Password	/pygoat/introduction/views.py: 385	details The application uses the hard-coded password "SECERTKEY123" for authentication purposes, either using it to verify users' identities, or to access ... ID: Dg4IvIsXBRiG5Un7QlaTZ01FNj8%3D Attack Vector
	Healthcheck Instruction Missing	/Dockerfile: 1	details Ensure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working ID: 805LiShyQB4W8XAONe7CRVSvUH0%3D
	Multiple RUN, ADD, COPY, Instructions Listed	/Dockerfile: 7	details Multiple commands (RUN, COPY, ADD) should be grouped in order to reduce the number of layers. ID: pPiQu6LxgyuP9ov5ctsbzTqtNBk%3D
	Pip install Keeping Cached Packages	/Dockerfile: 14	details When installing packages with pip, the '--no-cache-dir' flag should be set to make Docker images smaller ID: EiUk2gdEDk%2BGGf3QbNZPL6rvrwg%3D
	Update Instruction Alone	/Dockerfile: 8	details Instruction 'RUN update' should always be followed by ' install' in the same RUN statement ID: bjkyAChuafG%2FJo8%2FX37Gi%2FMBJRw%3D

Fixed Issues (30)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	Command_Injection	/pygoat/introduction/views.py: 300
	Missing User Instruction	/Dockerfile: 1
	Unsafe_Deserialization	/pygoat/introduction/views.py: 116
	Unsafe_Deserialization	/pygoat/introduction/views.py: 113
	Apt Get Install Pin Version Not Defined	/Dockerfile: 8
	Cookie_Poisoning	/pygoat/introduction/views.py: 205
	Cookie_Poisoning	/pygoat/introduction/views.py: 187
	Cookie_Poisoning	/pygoat/introduction/views.py: 188
	Cookie_Poisoning	/pygoat/introduction/views.py: 189
	Cookie_Poisoning	/pygoat/introduction/views.py: 215
	Cookie_Poisoning	/pygoat/introduction/views.py: 343
	Cookie_Poisoning	/pygoat/introduction/views.py: 116
	Cookie_Poisoning	/pygoat/introduction/views.py: 361
	Cookie_Poisoning	/pygoat/introduction/views.py: 216
	Cookie_Poisoning	/pygoat/introduction/views.py: 343
	Host Namespace is Shared	/docker-compose.yml: 4
	Host Namespace is Shared	/docker-compose.yml: 14
	Host Namespace is Shared	/docker-compose.yml: 12
	Host Namespace is Shared	/docker-compose.yml: 2
	Host Namespace is Shared	/docker-compose.yml: 23
	Networks Not Set	/docker-compose.yml: 2
	Networks Not Set	/docker-compose.yml: 12
	Networks Not Set	/docker-compose.yml: 23
	Networks Not Set	/docker-compose.yml: 14
	Networks Not Set	/docker-compose.yml: 4
	Pip install Keeping Cached Packages	/Dockerfile: 14
	Privacy_Violation	/pygoat/introduction/views.py: 216
	Update Instruction Alone	/Dockerfile: 7
	Healthcheck Instruction Missing	/Dockerfile: 1
	Multiple RUN, ADD, COPY, Instructions Listed	/Dockerfile: 7