chore(findings): bitnami/kafka
Summary
bitnami/kafka has 119 new findings discovered during continuous monitoring.
id | source | severity | package |
---|---|---|---|
CVE-2023-26049 | Anchore CVE | Medium | jetty-continuation-9.4.48.v20220622 |
CVE-2023-26048 | Anchore CVE | Medium | jetty-continuation-9.4.48.v20220622 |
CVE-2023-21968 | Anchore CVE | Low | java-11.0.18+10-LTS |
GHSA-6mjq-h674-j845 | Anchore CVE | Medium | netty-handler-4.1.78.Final |
CVE-2023-35116 | Anchore CVE | Medium | jackson-databind-2.13.4.2 |
CVE-2023-36479 | Anchore CVE | Medium | jetty-continuation-9.4.48.v20220622 |
CVE-2023-41900 | Anchore CVE | Medium | jetty-continuation-9.4.48.v20220622 |
CVE-2023-40167 | Anchore CVE | Medium | jetty-continuation-9.4.48.v20220622 |
CVE-2023-44487 | Anchore CVE | High | jetty-continuation-9.4.48.v20220622 |
CVE-2023-36478 | Anchore CVE | High | jetty-continuation-9.4.48.v20220622 |
CVE-2023-21938 | Anchore CVE | Low | java-11.0.18+10-LTS |
CVE-2023-21930 | Anchore CVE | High | java-11.0.18+10-LTS |
CVE-2023-21954 | Anchore CVE | Medium | java-11.0.18+10-LTS |
CVE-2023-21939 | Anchore CVE | Medium | java-11.0.18+10-LTS |
CVE-2023-21937 | Anchore CVE | Low | java-11.0.18+10-LTS |
CVE-2023-21967 | Anchore CVE | Medium | java-11.0.18+10-LTS |
CVE-2023-36479 | Anchore CVE | Medium | jetty-security-11.0.6 |
CVE-2023-26048 | Anchore CVE | Medium | jetty-util-11.0.6 |
CVE-2023-36478 | Anchore CVE | High | jetty-util-ajax-11.0.6 |
CVE-2023-41900 | Anchore CVE | Medium | jetty-security-11.0.6 |
CVE-2023-44487 | Anchore CVE | High | jetty-client-11.0.6 |
CVE-2022-2048 | Anchore CVE | High | jetty-client-11.0.6 |
CVE-2023-36478 | Anchore CVE | High | jetty-util-11.0.6 |
CVE-2023-44487 | Anchore CVE | High | jetty-http-11.0.6 |
CVE-2023-44487 | Anchore CVE | High | jetty-util-ajax-11.0.6 |
CVE-2023-26048 | Anchore CVE | Medium | jetty-client-11.0.6 |
CVE-2023-40167 | Anchore CVE | Medium | jetty-util-ajax-11.0.6 |
CVE-2023-36479 | Anchore CVE | Medium | jetty-util-11.0.6 |
CVE-2023-26049 | Anchore CVE | Medium | jetty-security-11.0.6 |
CVE-2023-41900 | Anchore CVE | Medium | jetty-util-11.0.6 |
CVE-2023-41900 | Anchore CVE | Medium | jetty-util-ajax-11.0.6 |
GHSA-hmr7-m48g-48f6 | Anchore CVE | Medium | jetty-http-11.0.6 |
CVE-2022-2191 | Anchore CVE | High | jetty-client-11.0.6 |
CVE-2023-36479 | Anchore CVE | Medium | jetty-client-11.0.6 |
CVE-2023-26049 | Anchore CVE | Medium | jetty-util-11.0.6 |
CVE-2023-26048 | Anchore CVE | Medium | jetty-security-11.0.6 |
CVE-2023-36478 | Anchore CVE | High | jetty-security-11.0.6 |
CVE-2022-2048 | Anchore CVE | High | jetty-http-11.0.6 |
CVE-2023-26049 | Anchore CVE | Medium | jetty-client-11.0.6 |
CVE-2022-2191 | Anchore CVE | High | jetty-http-11.0.6 |
CVE-2023-36479 | Anchore CVE | Medium | jetty-http-11.0.6 |
CVE-2023-41900 | Anchore CVE | Medium | jetty-client-11.0.6 |
CVE-2022-2047 | Anchore CVE | Low | jetty-client-11.0.6 |
GHSA-cj7v-27pg-wf7q | Anchore CVE | Low | jetty-http-11.0.6 |
CVE-2023-26048 | Anchore CVE | Medium | jetty-http-11.0.6 |
CVE-2023-36478 | Anchore CVE | High | jetty-client-11.0.6 |
CVE-2023-26049 | Anchore CVE | Medium | jetty-http-11.0.6 |
CVE-2023-44487 | Anchore CVE | High | jetty-security-11.0.6 |
CVE-2023-26048 | Anchore CVE | Medium | jetty-util-ajax-11.0.6 |
CVE-2023-40167 | Anchore CVE | Medium | jetty-util-11.0.6 |
CVE-2023-36478 | Anchore CVE | High | jetty-http-11.0.6 |
CVE-2023-26049 | Anchore CVE | Medium | jetty-util-ajax-11.0.6 |
CVE-2023-44487 | Anchore CVE | High | jetty-util-11.0.6 |
CVE-2023-36479 | Anchore CVE | Medium | jetty-util-ajax-11.0.6 |
CVE-2023-40167 | Anchore CVE | Medium | jetty-security-11.0.6 |
CVE-2023-40167 | Anchore CVE | Medium | jetty-client-11.0.6 |
CVE-2023-41900 | Anchore CVE | Medium | jetty-http-11.0.6 |
GHSA-6qvw-249j-h44c | Anchore CVE | Medium | jose4j-0.9.3 |
CVE-2023-44487 | Anchore CVE | High | jetty-servlets-11.0.16 |
CVE-2023-44487 | Anchore CVE | High | jetty-server-11.0.16 |
CVE-2023-44487 | Anchore CVE | High | jetty-servlet-11.0.16 |
CVE-2023-44487 | Anchore CVE | High | jetty-io-11.0.16 |
GHSA-r978-9m6m-6gm6 | Anchore CVE | Medium | zookeeper-3.9.1 |
CVE-2023-44487 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-39326 | Anchore CVE | Medium | stdlib-go1.19.6 |
CVE-2023-45285 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-39323 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-24538 | Anchore CVE | Critical | stdlib-go1.19.6 |
CVE-2023-39319 | Anchore CVE | Medium | stdlib-go1.19.6 |
CVE-2023-29404 | Anchore CVE | Critical | stdlib-go1.19.6 |
CVE-2023-24539 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-29406 | Anchore CVE | Medium | stdlib-go1.19.6 |
CVE-2023-29400 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-45285 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-39323 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-39318 | Anchore CVE | Medium | stdlib-go1.19.6 |
CVE-2023-39318 | Anchore CVE | Medium | stdlib-go1.19.6 |
CVE-2023-29409 | Anchore CVE | Medium | stdlib-go1.19.6 |
CVE-2023-24538 | Anchore CVE | Critical | stdlib-go1.19.6 |
CVE-2023-39326 | Anchore CVE | Medium | stdlib-go1.19.6 |
CVE-2023-29406 | Anchore CVE | Medium | stdlib-go1.19.6 |
CVE-2023-24532 | Anchore CVE | Medium | stdlib-go1.19.6 |
CVE-2023-24534 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-24534 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-24539 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-39319 | Anchore CVE | Medium | stdlib-go1.19.6 |
CVE-2023-29404 | Anchore CVE | Critical | stdlib-go1.19.6 |
CVE-2023-24536 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-24536 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-29400 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-29409 | Anchore CVE | Medium | stdlib-go1.19.6 |
CVE-2023-24532 | Anchore CVE | Medium | stdlib-go1.19.6 |
CVE-2023-29403 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-24537 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-29405 | Anchore CVE | Critical | stdlib-go1.19.6 |
CVE-2023-29405 | Anchore CVE | Critical | stdlib-go1.19.6 |
CVE-2023-45287 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-29402 | Anchore CVE | Critical | stdlib-go1.19.6 |
CVE-2023-29402 | Anchore CVE | Critical | stdlib-go1.19.6 |
CVE-2023-45287 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-29403 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-24537 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-24540 | Anchore CVE | Critical | stdlib-go1.19.6 |
CVE-2023-24540 | Anchore CVE | Critical | stdlib-go1.19.6 |
CVE-2023-44487 | Anchore CVE | High | stdlib-go1.19.6 |
CVE-2023-21930 | Twistlock CVE | High | java-11.0.18 |
CVE-2023-34462 | Twistlock CVE | Medium | io.netty_netty-handler-4.1.78.Final |
CVE-2023-21967 | Twistlock CVE | Medium | java-11.0.18 |
CVE-2023-21954 | Twistlock CVE | Medium | java-11.0.18 |
CVE-2023-21939 | Twistlock CVE | Medium | java-11.0.18 |
CVE-2023-35116 | Twistlock CVE | Medium | com.fasterxml.jackson.core_jackson-databind-2.13.4.2 |
CVE-2023-21968 | Twistlock CVE | Low | java-11.0.18 |
CVE-2023-21938 | Twistlock CVE | Low | java-11.0.18 |
CVE-2023-21937 | Twistlock CVE | Low | java-11.0.18 |
CVE-2023-40167 | Twistlock CVE | Medium | org.eclipse.jetty_jetty-http-11.0.6 |
CVE-2022-2047 | Twistlock CVE | Low | org.eclipse.jetty_jetty-http-11.0.6 |
CVE-2023-51775 | Twistlock CVE | Medium | org.bitbucket.b_c_jose4j-0.9.3 |
CVE-2024-23944 | Twistlock CVE | Medium | org.apache.zookeeper_zookeeper-3.9.1 |
CVE-2023-44487 | Twistlock CVE | High | org.eclipse.jetty_jetty-io-11.0.16 |
VAT: https://vat.dso.mil/vat/image?imageName=bitnami/kafka&tag=3.4.0&branch=master
More information can be found in the failed pipeline located here: https://repo1.dso.mil/dsop/bitnami/kafka/-/jobs/23397858
Tasks
Contributor:
-
Provide justifications for findings in the VAT (docs) -
Apply the ~"Hardening::Verification" label to this issue and wait for feedback
Iron Bank:
-
Review findings and justifications
Note: If the above process is rejected for any reason, the
Verification
label will be removed and the issue will be sent back toOpen
. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add theVerification
label.
Questions?
Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding
.
Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.