chore(findings): aiml/apache/superset

Summary

aiml/apache/superset has 151 new findings discovered during continuous monitoring.

Layer: apache/superset:4.0.1 is EOL, please update if possible

Layer: opensource/python:v3.11.8 is EOL, please update if possible

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=aiml/apache/superset&tag=4.0.1&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id	source	severity	package	impact	workaround	epss_score	kev
CVE-2024-52338	Twistlock CVE	Low	pyarrow-14.0.2			0.02270	false
CVE-2024-49767	Twistlock CVE	High	werkzeug-3.0.3	Assuming the other conditions listed are met, then it is possible to exploit this.	Configure Request.maxcontentlength.	0.00602	false
CVE-2024-55633	Twistlock CVE	Medium	apache-superset-4.0.1			0.00517	false
CVE-2021-3826	Twistlock CVE	Low	binutils-2.35.2-63.el9			0.00368	false
CVE-2021-3826	Anchore CVE	Low	binutils-gold-2.35.2-63.el9			0.00368	false
CVE-2021-3826	Anchore CVE	Low	binutils-2.35.2-63.el9			0.00368	false
CVE-2024-3651	Twistlock CVE	Medium	idna-3.0			0.00338	false
CVE-2024-53948	Twistlock CVE	Medium	apache-superset-4.0.1			0.00311	false
CVE-2024-53949	Twistlock CVE	Medium	apache-superset-4.0.1			0.00260	false
CVE-2021-3572	Anchore CVE	Low	python3-pip-21.3.1-1.el9			0.00240	false
CVE-2024-0397	Anchore CVE	Low	python3-devel-3.9.21-2.el9_6.2			0.00226	false
CVE-2024-12797	Twistlock CVE	Low	cryptography-42.0.4			0.00222	false
CVE-2021-45078	Twistlock CVE	Medium	binutils-2.35.2-63.el9			0.00208	false
CVE-2021-45078	Anchore CVE	Medium	binutils-2.35.2-63.el9			0.00208	false
CVE-2021-45078	Anchore CVE	Medium	binutils-gold-2.35.2-63.el9			0.00208	false
CVE-2024-53947	Twistlock CVE	Critical	apache-superset-4.0.1			0.00202	false
CVE-2025-1153	Twistlock CVE	Low	binutils-2.35.2-63.el9			0.00185	false
CVE-2025-1153	Anchore CVE	Low	binutils-gold-2.35.2-63.el9			0.00185	false
CVE-2025-1153	Anchore CVE	Low	binutils-2.35.2-63.el9			0.00185	false
CVE-2025-1795	Anchore CVE	Low	python3-devel-3.9.21-2.el9_6.2			0.00184	false
CVE-2024-41996	Anchore CVE	Low	openssl-devel-1:3.2.2-6.el9_5.1			0.00166	false
CVE-2025-47273	Twistlock CVE	High	setuptools-72.2.0			0.00139	false
CVE-2021-20197	Twistlock CVE	Medium	binutils-2.35.2-63.el9			0.00138	false
CVE-2021-20197	Anchore CVE	Medium	binutils-gold-2.35.2-63.el9			0.00138	false
CVE-2021-20197	Anchore CVE	Medium	binutils-2.35.2-63.el9			0.00138	false
CVE-2021-32256	Anchore CVE	Low	binutils-gold-2.35.2-63.el9			0.00115	false
CVE-2021-32256	Anchore CVE	Low	binutils-2.35.2-63.el9			0.00115	false
CVE-2025-8194	Anchore CVE	Medium	python3-devel-3.9.21-2.el9_6.2			0.00096	false
CVE-2025-6069	Anchore CVE	Medium	python3-devel-3.9.21-2.el9_6.2			0.00090	false
CVE-2025-48912	Twistlock CVE	Medium	apache-superset-4.0.1			0.00084	false
CVE-2025-1152	Twistlock CVE	Low	binutils-2.35.2-63.el9			0.00081	false
CVE-2025-1152	Anchore CVE	Low	binutils-2.35.2-63.el9			0.00081	false
CVE-2025-1152	Anchore CVE	Low	binutils-gold-2.35.2-63.el9			0.00081	false
CVE-2025-1150	Twistlock CVE	Low	binutils-2.35.2-63.el9			0.00081	false
CVE-2025-1150	Anchore CVE	Low	binutils-gold-2.35.2-63.el9			0.00081	false
CVE-2025-1150	Anchore CVE	Low	binutils-2.35.2-63.el9			0.00081	false
CVE-2024-13176	Anchore CVE	Low	openssl-devel-1:3.2.2-6.el9_5.1			0.00080	false
CVE-2025-1151	Twistlock CVE	Low	binutils-2.35.2-63.el9			0.00075	false
CVE-2025-1151	Anchore CVE	Low	binutils-gold-2.35.2-63.el9			0.00075	false
CVE-2025-1151	Anchore CVE	Low	binutils-2.35.2-63.el9			0.00075	false
CVE-2025-55673	Twistlock CVE	Medium	apache-superset-4.0.1			0.00066	false
CVE-2025-1377	Anchore CVE	Low	elfutils-debuginfod-client-0.192-6.el9_6			0.00065	false
CVE-2024-49766	Twistlock CVE	Medium	werkzeug-3.0.3	Assuming the other conditions listed are met, this is exploitable.		0.00062	false
CVE-2025-43859	Twistlock CVE	Critical	h11-0.14.0			0.00056	false
CVE-2022-27943	Anchore CVE	Low	cpp-11.5.0-5.el9_5			0.00050	false
CVE-2022-27943	Anchore CVE	Low	gcc-11.5.0-5.el9_5			0.00050	false
CVE-2022-27943	Anchore CVE	Low	gcc-c++-11.5.0-5.el9_5			0.00050	false
CVE-2022-27943	Anchore CVE	Low	libstdc++-devel-11.5.0-5.el9_5			0.00050	false
CVE-2025-55674	Twistlock CVE	Medium	apache-superset-4.0.1			0.00049	false
CVE-2025-24023	Twistlock CVE	Low	flask-appbuilder-4.5.0			0.00048	false
CVE-2025-1376	Anchore CVE	Low	elfutils-debuginfod-client-0.192-6.el9_6			0.00048	false
CVE-2023-1972	Twistlock CVE	Low	binutils-2.35.2-63.el9			0.00045	false
CVE-2023-1972	Anchore CVE	Low	binutils-gold-2.35.2-63.el9			0.00045	false
CVE-2023-1972	Anchore CVE	Low	binutils-2.35.2-63.el9			0.00045	false
CVE-2024-56326	Twistlock CVE	Medium	jinja2-3.1.4	This vulnerability impacts applications which execute untrusted templates. This is uncommon for web and other document rendering use cases, but may be common in deployment tools that allow third party plugins.		0.00044	false
CVE-2025-27516	Twistlock CVE	Medium	jinja2-3.1.4	This vulnerability impacts applications which execute untrusted templates. This is uncommon for web and other document rendering use cases, but may be common in deployment tools that allow third party plugins.		0.00042	false
CVE-2023-1579	Twistlock CVE	Medium	binutils-2.35.2-63.el9			0.00040	false
CVE-2023-1579	Anchore CVE	Medium	binutils-gold-2.35.2-63.el9			0.00040	false
CVE-2023-1579	Anchore CVE	Medium	binutils-2.35.2-63.el9			0.00040	false
CVE-2025-32962	Twistlock CVE	Medium	flask-appbuilder-4.5.0			0.00038	false
CVE-2025-50817	Twistlock CVE	High	future-1.0.0			0.00036	false
CVE-2025-55675	Twistlock CVE	Medium	apache-superset-4.0.1			0.00031	false
CVE-2025-55672	Twistlock CVE	Medium	apache-superset-4.0.1			0.00030	false
CVE-2025-1371	Anchore CVE	Low	elfutils-debuginfod-client-0.192-6.el9_6			0.00029	false
CVE-2024-47081	Twistlock CVE	Medium	requests-2.32.3			0.00028	false
CVE-2024-57360	Twistlock CVE	Low	binutils-2.35.2-63.el9			0.00024	false
CVE-2024-57360	Anchore CVE	Low	binutils-gold-2.35.2-63.el9			0.00024	false
CVE-2024-57360	Anchore CVE	Low	binutils-2.35.2-63.el9			0.00024	false
CVE-2025-5245	Twistlock CVE	Medium	binutils-2.35.2-63.el9			0.00022	false
CVE-2025-5245	Anchore CVE	Medium	binutils-gold-2.35.2-63.el9			0.00022	false
CVE-2025-5245	Anchore CVE	Medium	binutils-2.35.2-63.el9			0.00022	false
CVE-2025-4516	Anchore CVE	Medium	python3-devel-3.9.21-2.el9_6.2			0.00021	false
CVE-2024-6827	Twistlock CVE	High	gunicorn-21.2.0			0.00021	false
CVE-2024-56201	Twistlock CVE	Medium	jinja2-3.1.4	This vulnerability impacts applications which execute untrusted templates where the template author can also choose the template filename. This is uncommon for web and other document rendering use cases, but may be common in deployment tools that allow third party plugins.	Check if any template filenames contain curly braces and . If so, and the braces enclose Python code, audit or remove those files.	0.00021	false
CVE-2022-44840	Twistlock CVE	Low	binutils-2.35.2-63.el9			0.00021	false
CVE-2022-44840	Anchore CVE	Low	binutils-gold-2.35.2-63.el9			0.00021	false
CVE-2022-44840	Anchore CVE	Low	binutils-2.35.2-63.el9			0.00021	false
CVE-2025-27696	Twistlock CVE	High	apache-superset-4.0.1			0.00017	false
CVE-2022-38533	Twistlock CVE	Low	binutils-2.35.2-63.el9			0.00017	false
CVE-2022-38533	Anchore CVE	Low	binutils-gold-2.35.2-63.el9			0.00017	false
CVE-2022-38533	Anchore CVE	Low	binutils-2.35.2-63.el9			0.00017	false
CVE-2025-7546	Twistlock CVE	Medium	binutils-2.35.2-63.el9			0.00015	false
CVE-2025-7546	Anchore CVE	Medium	binutils-gold-2.35.2-63.el9			0.00015	false
CVE-2025-7546	Anchore CVE	Medium	binutils-2.35.2-63.el9			0.00015	false
CVE-2025-50181	Twistlock CVE	Medium	urllib3-2.2.2	Most users dont disable redirects on the PoolManager.	Set redirectsFalseredirects0 on the .request call instead of on the toplevel urllib3.PoolManager	0.00015	false
CVE-2025-50181	Anchore CVE	Medium	python3-pip-21.3.1-1.el9			0.00015	false
CVE-2025-7545	Twistlock CVE	Medium	binutils-2.35.2-63.el9			0.00014	false
CVE-2025-7545	Anchore CVE	Medium	binutils-2.35.2-63.el9			0.00014	false
CVE-2025-7545	Anchore CVE	Medium	binutils-gold-2.35.2-63.el9			0.00014	false
CVE-2024-25260	Anchore CVE	Low	elfutils-debuginfod-client-0.192-6.el9_6			0.00014	false
CVE-2022-47011	Twistlock CVE	Low	binutils-2.35.2-63.el9			0.00014	false
CVE-2022-47011	Anchore CVE	Low	binutils-gold-2.35.2-63.el9			0.00014	false
CVE-2022-47011	Anchore CVE	Low	binutils-2.35.2-63.el9			0.00014	false
CVE-2022-47010	Twistlock CVE	Low	binutils-2.35.2-63.el9			0.00014	false
CVE-2022-47010	Anchore CVE	Low	binutils-gold-2.35.2-63.el9			0.00014	false
CVE-2022-47010	Anchore CVE	Low	binutils-2.35.2-63.el9			0.00014	false
CVE-2022-47008	Twistlock CVE	Low	binutils-2.35.2-63.el9			0.00014	false
CVE-2022-47008	Anchore CVE	Low	binutils-2.35.2-63.el9			0.00014	false
CVE-2022-47008	Anchore CVE	Low	binutils-gold-2.35.2-63.el9			0.00014	false
CVE-2022-47007	Twistlock CVE	Low	binutils-2.35.2-63.el9			0.00014	false
CVE-2022-47007	Anchore CVE	Low	binutils-gold-2.35.2-63.el9			0.00014	false
CVE-2022-47007	Anchore CVE	Low	binutils-2.35.2-63.el9			0.00014	false
CVE-2025-50182	Twistlock CVE	Medium	urllib3-2.2.2	Pyodide is extremely rare configuration for users in production.		0.00013	false
CVE-2025-50182	Anchore CVE	Medium	python3-pip-21.3.1-1.el9			0.00013	false
CVE-2024-45314	Twistlock CVE	Medium	flask-appbuilder-4.5.0			0.00013	false
CVE-2025-3198	Twistlock CVE	Low	binutils-2.35.2-63.el9			0.00011	false
CVE-2025-3198	Anchore CVE	Low	binutils-2.35.2-63.el9			0.00011	false
CVE-2025-3198	Anchore CVE	Low	binutils-gold-2.35.2-63.el9			0.00011	false
CVE-2023-2222	Anchore CVE	Low	binutils-2.35.2-63.el9			N/A	false
CVE-2023-2222	Anchore CVE	Low	binutils-gold-2.35.2-63.el9			N/A	false
addbb93c22e9b0988b8b40392a4538cb	Anchore Compliance	Low				N/A	N/A
PRISMA-2022-0168	Twistlock CVE	High	pip-21.3.1			N/A	N/A
GHSA-xqrq-4mgf-ff32	Anchore CVE	High	future-1.0.0			N/A	N/A
GHSA-w6c7-j32f-rq8j	Anchore CVE	Medium	apache-superset-4.0.1			N/A	N/A
GHSA-w6c7-j32f-rq8j	Anchore CVE	Medium	apache-superset-4.0.1			N/A	N/A
GHSA-vqfr-h8mv-ghfj	Anchore CVE	Critical	h11-0.14.0			N/A	N/A
GHSA-q34m-jh98-gwm2	Anchore CVE	Medium	werkzeug-3.0.3			N/A	N/A
GHSA-q2x7-8rv6-6q7h	Anchore CVE	Medium	jinja2-3.1.4			N/A	N/A
GHSA-pq67-6m6q-mj2v	Anchore CVE	Medium	urllib3-2.2.2			N/A	N/A
GHSA-p8q5-cvwx-wvwp	Anchore CVE	Low	flask-appbuilder-4.5.0			N/A	N/A
GHSA-mhpq-m962-mg92	Anchore CVE	Medium	apache-superset-4.0.1			N/A	N/A
GHSA-mhpq-m962-mg92	Anchore CVE	Medium	apache-superset-4.0.1			N/A	N/A
GHSA-hc5x-x2vx-497g	Anchore CVE	High	gunicorn-21.2.0			N/A	N/A
GHSA-h4gh-qq45-vh27	Twistlock CVE	Medium	cryptography-42.0.4			N/A	N/A
GHSA-h4gh-qq45-vh27	Anchore CVE	Medium	cryptography-42.0.4			N/A	N/A
GHSA-gmj6-6f8f-6699	Anchore CVE	Medium	jinja2-3.1.4			N/A	N/A
GHSA-fxgf-3xh6-m2pp	Anchore CVE	Medium	apache-superset-4.0.1			N/A	N/A
GHSA-fxgf-3xh6-m2pp	Anchore CVE	Medium	apache-superset-4.0.1			N/A	N/A
GHSA-fw5r-6m3x-rh7p	Anchore CVE	Medium	flask-appbuilder-4.5.0			N/A	N/A
GHSA-fj97-2v9x-w5m4	Anchore CVE	Medium	apache-superset-4.0.1			N/A	N/A
GHSA-fj97-2v9x-w5m4	Anchore CVE	Medium	apache-superset-4.0.1			N/A	N/A
GHSA-f9vj-2wh5-fj8j	Anchore CVE	Medium	werkzeug-3.0.3			N/A	N/A
GHSA-cpwx-vrp4-4pq7	Anchore CVE	Medium	jinja2-3.1.4			N/A	N/A
GHSA-9hjg-9r4m-mvj7	Anchore CVE	Medium	requests-2.32.3			N/A	N/A
GHSA-9g5x-mm39-wg9r	Anchore CVE	Medium	apache-superset-4.0.1			N/A	N/A
GHSA-9g5x-mm39-wg9r	Anchore CVE	Medium	apache-superset-4.0.1			N/A	N/A
GHSA-99pm-ch96-ccp2	Anchore CVE	Medium	flask-appbuilder-4.5.0			N/A	N/A
GHSA-92qf-8gh3-gwcm	Anchore CVE	Low	apache-superset-4.0.1			N/A	N/A
GHSA-92qf-8gh3-gwcm	Anchore CVE	Low	apache-superset-4.0.1			N/A	N/A
GHSA-8w7f-8pr9-xgwj	Anchore CVE	High	apache-superset-4.0.1			N/A	N/A
GHSA-8w7f-8pr9-xgwj	Anchore CVE	High	apache-superset-4.0.1			N/A	N/A
GHSA-79v4-65xg-pq4g	Anchore CVE	Low	cryptography-42.0.4			N/A	N/A
GHSA-787v-v9vq-4rgv	Anchore CVE	High	apache-superset-4.0.1			N/A	N/A
GHSA-787v-v9vq-4rgv	Anchore CVE	High	apache-superset-4.0.1			N/A	N/A
GHSA-5rjg-fvgr-3xxf	Anchore CVE	High	setuptools-72.2.0			N/A	N/A
GHSA-48p4-8xcf-vxj5	Anchore CVE	Medium	urllib3-2.2.2			N/A	N/A
GHSA-35fc-9hrj-3585	Anchore CVE	High	apache-superset-4.0.1			N/A	N/A
GHSA-35fc-9hrj-3585	Anchore CVE	High	apache-superset-4.0.1			N/A	N/A
GHSA-2cx9-54hp-r698	Anchore CVE	Medium	apache-superset-4.0.1			N/A	N/A
GHSA-2cx9-54hp-r698	Anchore CVE	Medium	apache-superset-4.0.1			N/A	N/A
CCE-83450-7	OSCAP Compliance	High				N/A	N/A

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=aiml/apache/superset&tag=4.0.1&branch=master

Tasks

Contributor:

Provide justifications for findings in the VAT (docs)
Apply the StatusVerification label to this issue and wait for feedback

Iron Bank:

Review findings and justifications

Note: If the above process is rejected for any reason, the Verification label will be removed and the issue will be sent back to Open. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited Sep 05, 2025 by CHORE_TOKEN

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

chore(findings): aiml/apache/superset

Summary

Tasks

Questions?