UNCLASSIFIED - NO CUI

chore(findings): afrl-dcgs/stream/seaweedfs

Summary

afrl-dcgs/stream/seaweedfs has 70 new findings discovered during continuous monitoring.

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=afrl-dcgs/stream/seaweedfs&tag=3.57&branch=master

id source severity package impact workaround
GHSA-45x7-px36-x8w8 Anchore CVE Medium golang.org/x/crypto-v0.13.0
CVE-2023-6129 Anchore CVE Medium libssl3-3.1.4-r1
CVE-2023-6129 Anchore CVE Medium libcrypto3-3.1.4-r1
CVE-2023-6237 Anchore CVE Low libssl3-3.1.4-r1
CVE-2023-6237 Anchore CVE Low libcrypto3-3.1.4-r1
CVE-2024-0727 Anchore CVE Medium libcrypto3-3.1.4-r1
CVE-2024-0727 Anchore CVE Medium libssl3-3.1.4-r1
GHSA-8r3f-844c-mc37 Anchore CVE Medium google.golang.org/protobuf-v1.31.0
GHSA-q7pp-wcgr-pffx Anchore CVE Low github.com/disintegration/imaging-v1.6.2
CVE-2024-2511 Anchore CVE Low libssl3-3.1.4-r1
CVE-2024-2511 Anchore CVE Low libcrypto3-3.1.4-r1
GHSA-4v7x-pqxf-cx7m Anchore CVE Medium golang.org/x/net-v0.15.0
CVE-2023-44487 Anchore CVE High stdlib-go1.20.8
CVE-2023-39326 Anchore CVE Medium stdlib-go1.20.8
CVE-2023-45285 Anchore CVE High stdlib-go1.20.8
CVE-2023-39325 Anchore CVE High stdlib-go1.20.8
CVE-2023-39323 Anchore CVE High stdlib-go1.20.8
CVE-2024-24791 Anchore CVE High stdlib-go1.20.8
CVE-2024-4603 Anchore CVE Medium libssl3-3.1.4-r1
CVE-2024-24785 Anchore CVE Low stdlib-go1.20.8
CVE-2024-24784 Anchore CVE High stdlib-go1.20.8
CVE-2024-4741 Anchore CVE Low libcrypto3-3.1.4-r1
CVE-2024-24789 Anchore CVE Medium stdlib-go1.20.8
CVE-2024-5535 Anchore CVE Critical libcrypto3-3.1.4-r1
CVE-2023-45288 Anchore CVE High stdlib-go1.20.8
CVE-2023-45290 Anchore CVE Low stdlib-go1.20.8
CVE-2024-24787 Anchore CVE Medium stdlib-go1.20.8
CVE-2024-4741 Anchore CVE Low libssl3-3.1.4-r1
GHSA-m5vv-6r4h-3vj9 Anchore CVE Medium github.com/Azure/azure-sdk-for-go/sdk/azidentity-v1.3.0
GHSA-9phm-fm57-rhg8 Anchore CVE High golang.org/x/image-v0.11.0
CVE-2023-45289 Anchore CVE Low stdlib-go1.20.8
CVE-2024-24790 Anchore CVE Critical stdlib-go1.20.8
CVE-2024-24783 Anchore CVE Low stdlib-go1.20.8
CVE-2023-24531 Anchore CVE Critical stdlib-go1.20.8
CVE-2024-4603 Anchore CVE Medium libcrypto3-3.1.4-r1
CVE-2024-5535 Anchore CVE Critical libssl3-3.1.4-r1
CVE-2023-39325 Twistlock CVE High golang.org/x/net/http2-v0.15.0
GO-2023-2153 Twistlock CVE High google.golang.org/grpc-v1.58.0
CVE-2023-6129 Twistlock CVE Medium openssl-3.1.4-r1
CVE-2023-48795 Twistlock CVE Medium golang.org/x/crypto/ssh-v0.13.0
CVE-2024-0727 Twistlock CVE Medium openssl-3.1.4-r1
CVE-2023-6237 Twistlock CVE Low openssl-3.1.4-r1
CVE-2023-45288 Twistlock CVE Medium golang.org/x/net/http2-v0.15.0
CVE-2024-2511 Twistlock CVE Low openssl-3.1.4-r1
CVE-2023-6992 Twistlock CVE Medium zlib-1.2.13-r1
CVE-2023-42366 Twistlock CVE Medium busybox-1.36.1-r5
CVE-2024-4603 Twistlock CVE Low openssl-3.1.4-r1
CVE-2023-42365 Twistlock CVE Medium busybox-1.36.1-r5
CVE-2023-42364 Twistlock CVE Medium busybox-1.36.1-r5
CVE-2023-42363 Twistlock CVE Medium busybox-1.36.1-r5
CVE-2024-5535 Twistlock CVE Low openssl-3.1.4-r1
CVE-2024-4741 Twistlock CVE Low openssl-3.1.4-r1
CVE-2024-35255 Twistlock CVE Medium github.com/Azure/azure-sdk-for-go/sdk/azidentity-v1.3.0
CVE-2024-24790 Twistlock CVE Critical net/netip-1.20.8
CVE-2023-45283 Twistlock CVE High internal/safefilepath-1.20.8
CVE-2023-39325 Twistlock CVE High net/http-1.20.8
GO-2023-2153 Twistlock CVE High google.golang.org/grpc/internal/transport-v1.58.0
CVE-2024-24792 Twistlock CVE High golang.org/x/image/tiff-v0.11.0
CVE-2024-24789 Twistlock CVE Medium archive/zip-1.20.8
CVE-2023-45284 Twistlock CVE Medium path/filepath-1.20.8
CVE-2023-39326 Twistlock CVE Medium net/http/internal-1.20.8
CVE-2024-24786 Twistlock CVE Medium google.golang.org/protobuf/internal/encoding/json-v1.31.0
CVE-2024-24786 Twistlock CVE Medium google.golang.org/protobuf/encoding/protojson-v1.31.0
CVE-2023-45288 Twistlock CVE Medium net/http-1.20.8
CVE-2024-24791 Twistlock CVE Low net/http-1.20.8
CVE-2024-24785 Twistlock CVE Low html/template-1.20.8
CVE-2024-24783 Twistlock CVE Low crypto/x509-1.20.8
CVE-2023-45290 Twistlock CVE Low net/textproto-1.20.8
CVE-2023-45289 Twistlock CVE Low net/http-1.20.8
CVE-2023-45289 Twistlock CVE Low net/http/cookiejar-1.20.8

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=afrl-dcgs/stream/seaweedfs&tag=3.57&branch=master

Tasks

Contributor:

  • Provide justifications for findings in the VAT (docs)
  • Apply the StatusVerification label to this issue and wait for feedback

Iron Bank:

  • Review findings and justifications

Note: If the above process is rejected for any reason, the Verification label will be removed and the issue will be sent back to Open. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited by Ghost User

UNCLASSIFIED - NO CUI