UNCLASSIFIED - NO CUI

chore(findings): ccj2-a3im/datahub/datahub-upgrade

Summary

ccj2-a3im/datahub/datahub-upgrade has 58 new findings discovered during continuous monitoring.

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=ccj2-a3im/datahub/datahub-upgrade&tag=1.3.0.1&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id source severity package impact workaround epss_score kev
CVE-2021-26291 Anchore CVE Critical maven-artifact-3.6.3 0.39550 false
CVE-2021-26291 Anchore CVE Critical maven-artifact-3.6.3 0.39550 false
CVE-2023-28115 Twistlock CVE Critical snappy-1.2.2-r0 0.16753 false
CVE-2025-59419 Twistlock CVE High io.netty_netty-codec-smtp-4.1.125.Final 0.03365 false
CVE-2023-41330 Twistlock CVE Critical snappy-1.2.2-r0 0.01332 false
CVE-2024-29133 Twistlock CVE Low org.apache.commons_commons-configuration2-2.8.0 0.00509 false
CVE-2023-3635 Anchore CVE High okio-fakefilesystem-jvm-3.2.0 0.00375 false
CVE-2024-43126 Anchore CVE High opentelemetry-exporter-sender-okhttp-1.49.0 0.00305 false
CVE-2024-29131 Twistlock CVE Low org.apache.commons_commons-configuration2-2.8.0 0.00203 false
CVE-2024-39657 Anchore CVE High opentelemetry-exporter-sender-okhttp-1.49.0 0.00141 false
CVE-2016-2781 Anchore CVE Medium coreutils-9.7-r1 0.00084 false
CVE-2016-2781 Anchore CVE Medium coreutils-fmt-9.7-r1 0.00084 false
CVE-2016-2781 Anchore CVE Medium coreutils-env-9.7-r1 0.00084 false
CVE-2016-2781 Anchore CVE Medium coreutils-sha512sum-9.7-r1 0.00084 false
CVE-2025-22227 Twistlock CVE Medium io.projectreactor.netty_reactor-netty-http-1.0.48 0.00077 false
CVE-2020-8908 Twistlock CVE Low com.google.guava_guava-30.1.1-jre 0.00072 false
CVE-2025-11226 Twistlock CVE Medium ch.qos.logback_logback-core-1.5.18 0.00071 false
CVE-2023-2976 Twistlock CVE High com.google.guava_guava-30.1.1-jre 0.00071 false
CVE-2025-67735 Twistlock CVE Medium io.netty_netty-codec-http-4.1.125.Final 0.00051 false
CVE-2025-67735 Anchore CVE Medium reactor-netty-core-1.0.48 0.00051 false
CVE-2025-67735 Anchore CVE Medium grpc-netty-shaded-1.68.3 0.00051 false
CVE-2025-67735 Anchore CVE Medium reactor-netty-http-1.0.48 0.00051 false
CVE-2025-53864 Twistlock CVE Medium com.nimbusds_nimbus-jose-jwt-10.0.1 0.00044 false
CVE-2025-9624 Twistlock CVE High org.opensearch_opensearch-common-2.11.1 0.00042 false
CVE-2024-23454 Twistlock CVE Low org.apache.hadoop_hadoop-common-3.3.6 0.00037 false
CVE-2024-23454 Anchore CVE Medium hadoop-client-3.3.6 0.00037 false
CVE-2024-23454 Anchore CVE Medium hadoop-hdfs-client-3.3.6 0.00037 false
CVE-2024-23454 Anchore CVE Medium hadoop-mapreduce-client-core-3.3.6 0.00037 false
CVE-2024-23454 Anchore CVE Medium hadoop-annotations-3.3.6 0.00037 false
CVE-2024-23454 Anchore CVE Medium hadoop-auth-3.3.6 0.00037 false
CVE-2024-23454 Anchore CVE Medium hadoop-yarn-common-3.3.6 0.00037 false
CVE-2024-23454 Anchore CVE Medium hadoop-yarn-client-3.3.6 0.00037 false
CVE-2024-23454 Anchore CVE Medium hadoop-mapreduce-client-jobclient-3.3.6 0.00037 false
CVE-2024-23454 Anchore CVE Medium hadoop-mapreduce-client-common-3.3.6 0.00037 false
CVE-2024-23454 Anchore CVE Medium hadoop-yarn-api-3.3.6 0.00037 false
CVE-2024-23454 Anchore CVE Medium hadoop-shaded-guava-1.1.1 0.00037 false
CVE-2025-68161 Twistlock CVE Medium org.apache.logging.log4j_log4j-core-2.23.1 0.00028 false
CVE-2023-50572 Anchore CVE Medium jline-3.9.0 0.00021 false
CVE-2025-10966 Anchore CVE Medium curl-8.14.1-r2 0.00017 false
CVE-2025-48924 Twistlock CVE Medium org.apache.commons_commons-lang3-3.12.0 0.00016 false
d33cd1c56d51b8a0593f5ec64f2fc68e Anchore Compliance Critical N/A N/A
GHSA-xwmg-2g98-w7v9 Anchore CVE Medium nimbus-jose-jwt-10.0.1 N/A N/A
GHSA-xjp4-hw94-mvp5 Anchore CVE Medium commons-configuration2-2.8.0 N/A N/A
GHSA-vc5p-v9hr-52mj Anchore CVE Medium log4j-core-2.23.1 N/A N/A
GHSA-vc5p-v9hr-52mj Anchore CVE Medium log4j-core-2.23.1 N/A N/A
GHSA-mw3v-mmfw-3x2g Anchore CVE High opensearch-common-2.11.1 N/A N/A
GHSA-jq43-27x9-3v86 Anchore CVE High netty-codec-smtp-4.1.125.Final N/A N/A
GHSA-jq43-27x9-3v86 Anchore CVE High netty-codec-smtp-4.1.125.Final N/A N/A
GHSA-j288-q9x7-2f5v Anchore CVE Medium commons-lang3-3.12.0 N/A N/A
GHSA-f5fw-25gw-5m92 Anchore CVE Low hadoop-common-3.3.6 N/A N/A
GHSA-9w38-p64v-xpmv Anchore CVE Medium commons-configuration2-2.8.0 N/A N/A
GHSA-84h7-rjj3-6jx4 Anchore CVE Medium netty-codec-http-4.1.125.Final N/A N/A
GHSA-84h7-rjj3-6jx4 Anchore CVE Medium netty-codec-http-4.1.125.Final N/A N/A
GHSA-7g45-4rm6-3mm3 Anchore CVE Medium guava-30.1.1-jre N/A N/A
GHSA-5mg8-w23w-74h3 Anchore CVE Low guava-30.1.1-jre N/A N/A
GHSA-4q2v-9p7v-3v22 Anchore CVE Medium reactor-netty-http-1.0.48 N/A N/A
GHSA-25qh-j22f-pwp8 Anchore CVE Medium logback-core-1.5.18 N/A N/A
GHSA-25qh-j22f-pwp8 Anchore CVE Medium logback-core-1.5.18 N/A N/A

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=ccj2-a3im/datahub/datahub-upgrade&tag=1.3.0.1&branch=master

Tasks

Contributor:

  • Apply the StatusReview label to this issue for a merge request review and wait for feedback

OR

  • Provide justifications for findings in the VAT (docs)
  • Apply the StatusVerification label to this issue for a VAT justifications review and wait for feedback

Iron Bank:

  • Review findings and justifications

Note: If the above process is rejected for any reason, the Review or Verification label will be removed and the issue will be sent back to To-Do. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Review or Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited by CHORE_TOKEN
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI