UNCLASSIFIED - NO CUI

Skip to content

chore(findings): opensource/ccj2-a3im/datahub/datahub-actions

Summary

opensource/ccj2-a3im/datahub/datahub-actions has 77 new findings discovered during continuous monitoring.

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=opensource/ccj2-a3im/datahub/datahub-actions&tag=v0.2.1&branch=master

id source severity package impact workaround
03d8818ad9057a73338df2519447cb06 Anchore Compliance Critical
41005d4717e971a09f24bca264e037f6 Anchore Compliance Critical
8e163263cda4bd745af2e34598d058fe Anchore Compliance Critical
CVE-2021-3995 Anchore CVE Medium util-linux-2.37.2
CVE-2021-3996 Anchore CVE Medium util-linux-2.37.2
CVE-2022-0563 Anchore CVE Medium util-linux-2.37.2
CVE-2022-1271 Anchore CVE High gzip-1.10
CVE-2022-1292 Anchore CVE Critical openssl-3.0.2
CVE-2022-1343 Anchore CVE Medium openssl-3.0.2
CVE-2022-1434 Anchore CVE Medium openssl-3.0.2
CVE-2022-1473 Anchore CVE High openssl-3.0.2
CVE-2022-2068 Anchore CVE Critical openssl-3.0.2
CVE-2022-2097 Anchore CVE Medium openssl-3.0.2
CVE-2022-3358 Anchore CVE High openssl-3.0.2
CVE-2022-3602 Anchore CVE High openssl-3.0.2
CVE-2022-3786 Anchore CVE High openssl-3.0.2
CVE-2022-3996 Anchore CVE High openssl-3.0.2
CVE-2022-40897 Twistlock CVE Medium setuptools-59.6.0 Code path is deprecated.
CVE-2022-40898 Twistlock CVE High wheel-0.37.1
CVE-2022-4203 Anchore CVE Medium openssl-3.0.2
CVE-2022-4304 Anchore CVE Medium openssl-3.0.2
CVE-2022-4450 Anchore CVE High openssl-3.0.2
CVE-2023-0215 Anchore CVE High openssl-3.0.2
CVE-2023-0216 Anchore CVE High openssl-3.0.2
CVE-2023-0217 Anchore CVE High openssl-3.0.2
CVE-2023-0286 Anchore CVE High openssl-3.0.2
CVE-2023-0401 Anchore CVE High openssl-3.0.2
CVE-2023-0464 Anchore CVE High openssl-3.0.2
CVE-2023-0465 Anchore CVE Medium openssl-3.0.2
CVE-2023-0466 Anchore CVE Medium openssl-3.0.2
CVE-2023-1255 Anchore CVE Medium openssl-3.0.2
CVE-2023-2650 Anchore CVE Medium openssl-3.0.2
CVE-2023-27043 Anchore CVE Medium python-3.10.12
CVE-2023-2975 Anchore CVE Medium openssl-3.0.2
CVE-2023-3446 Anchore CVE Medium openssl-3.0.2
CVE-2023-3817 Anchore CVE Medium openssl-3.0.2
CVE-2023-40217 Anchore CVE Medium python-3.10.12
CVE-2023-4807 Anchore CVE High openssl-3.0.2
CVE-2023-5363 Anchore CVE High openssl-3.0.2
CVE-2023-5678 Anchore CVE Medium openssl-3.0.2
CVE-2023-5752 Twistlock CVE Low pip-22.0.2 Only users using Mercurial VCS functionality with untrusted inputs are affected.
CVE-2023-6129 Anchore CVE Medium openssl-3.0.2
CVE-2023-6237 Anchore CVE Medium openssl-3.0.2
CVE-2023-6597 Anchore CVE High python-3.10.12
CVE-2024-0397 Anchore CVE High python-3.10.12
CVE-2024-0450 Anchore CVE Medium python-3.10.12
CVE-2024-0727 Anchore CVE Medium openssl-3.0.2
CVE-2024-11168 Anchore CVE Low python-3.10.12
CVE-2024-13176 Anchore CVE Medium openssl-3.0.2
CVE-2024-2511 Anchore CVE Medium openssl-3.0.2
CVE-2024-28085 Anchore CVE Low util-linux-2.37.2
CVE-2024-3220 Anchore CVE Low python-3.10.12
CVE-2024-4032 Anchore CVE High python-3.10.12
CVE-2024-4603 Anchore CVE Medium openssl-3.0.2
CVE-2024-4741 Anchore CVE High openssl-3.0.2
CVE-2024-50602 Anchore CVE Medium python-3.10.12
CVE-2024-5535 Anchore CVE Critical openssl-3.0.2
CVE-2024-6119 Anchore CVE High openssl-3.0.2
CVE-2024-6232 Anchore CVE High python-3.10.12
CVE-2024-6345 Twistlock CVE High setuptools-59.6.0 Most users have migrated off of the code paths that are affected. The affected code paths are actively deprecated and planned for turn down. Only specialized and legacy workflows are affected. Use recommended installers pip, uv, build, system package managers to install all packages from trusted indexes. If working with untrusted content in private indexes, consider scanning for malicious code in the package index pages.
CVE-2024-6923 Anchore CVE Medium python-3.10.12
CVE-2024-7592 Anchore CVE High python-3.10.12
CVE-2024-8088 Anchore CVE Low python-3.10.12
CVE-2024-9143 Anchore CVE Medium openssl-3.0.2
CVE-2024-9287 Anchore CVE High python-3.10.12
CVE-2025-0938 Anchore CVE Low python-3.10.12
CVE-2025-1795 Anchore CVE Low python-3.10.12
GHSA-cx63-2mw6-8hw5 Anchore CVE High setuptools-59.6.0
GHSA-mq26-g339-26xf Anchore CVE Medium pip-22.0.2
GHSA-qwmp-2cf2-g9g6 Anchore CVE High wheel-0.37.1
GHSA-r9hx-vwmv-q579 Anchore CVE High setuptools-59.6.0
PRISMA-2022-0168 Twistlock CVE High pip-25.0.1
PRISMA-2022-0168 Twistlock CVE High pip-22.0.2
PRISMA-2022-0404 Twistlock CVE Medium wheel-0.37.1
PRISMA-2023-0024 Twistlock CVE High aiohttp-3.11.16
fbe3c91b110eabf67665190b181ac77d Anchore Compliance Critical
xccdf_org.ssgproject.content_rule_permissions_local_var_log OSCAP Compliance Medium

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=opensource/ccj2-a3im/datahub/datahub-actions&tag=v0.2.1&branch=master

Tasks

Contributor:

  • Provide justifications for findings in the VAT (docs)
  • Apply the StatusVerification label to this issue and wait for feedback

Iron Bank:

  • Review findings and justifications

Note: If the above process is rejected for any reason, the Verification label will be removed and the issue will be sent back to Open. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited by Ghost User
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI