Running with gitlab-runner 13.8.0 (775dd39d)  on dsop-shared-gitlab-runner-f887cbcbd-srgz6 E82_g8RG section_start:1630417881:resolve_secrets Resolving secrets section_end:1630417881:resolve_secrets section_start:1630417881:prepare_executor Preparing the "kubernetes" executor "ServiceAccount" overwritten with "vat" Using Kubernetes namespace: gitlab-runner-ironbank-dsop WARNING: Pulling GitLab Runner helper image from Docker Hub. Helper image is migrating to registry.gitlab.com, for more information see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#migrating-helper-image-to-registrygitlabcom Using Kubernetes executor with image registry1.dso.mil/ironbank/ironbank-pipelines/pipeline-runner:0.3 ... section_end:1630417881:prepare_executor section_start:1630417881:prepare_script Preparing environment Waiting for pod gitlab-runner-ironbank-dsop/runner-e82g8rg-project-1020-concurrent-0zmd6d to be running, status is Pending Waiting for pod gitlab-runner-ironbank-dsop/runner-e82g8rg-project-1020-concurrent-0zmd6d to be running, status is Pending ContainersNotReady: "containers with unready status: [build helper istio-proxy]" ContainersNotReady: "containers with unready status: [build helper istio-proxy]" Running on runner-e82g8rg-project-1020-concurrent-0zmd6d via dsop-shared-gitlab-runner-f887cbcbd-srgz6... section_end:1630417887:prepare_script section_start:1630417887:get_sources Getting source from Git repository $ until [ $(curl --fail --silent --output /dev/stderr --write-out "%{http_code}" localhost:15020/healthz/ready) -eq 200 ]; do echo Waiting for Sidecar; sleep 3 ; done ; echo Sidecar available; Sidecar available Fetching changes with git depth set to 50... Initialized empty Git repository in /builds/dsop/collaborationai/crowd-vector/appserver/.git/ Created fresh repository. Checking out 60e92683 as development... Skipping object checkout, Git LFS is not installed. Skipping Git submodules setup section_end:1630417888:get_sources section_start:1630417888:download_artifacts Downloading artifacts Downloading artifacts for anchore-scan (6107978)... Downloading artifacts from coordinator... ok  id=6107978 responseStatus=200 OK token=xRqrzUd2 WARNING: ci-artifacts/scan-results/anchore/: lchown ci-artifacts/scan-results/anchore/: operation not permitted (suppressing repeats) Downloading artifacts for build (6107976)... Downloading artifacts from coordinator... ok  id=6107976 responseStatus=200 OK token=pB4jPcBn WARNING: ci-artifacts/build/: lchown ci-artifacts/build/: operation not permitted (suppressing repeats) Downloading artifacts for hardening-manifest (6107972)... Downloading artifacts from coordinator... ok  id=6107972 responseStatus=200 OK token=CPCDEWx_ WARNING: ci-artifacts/preflight/: lchown ci-artifacts/preflight/: operation not permitted (suppressing repeats) Downloading artifacts for load-scripts (6107969)... Downloading artifacts from coordinator... ok  id=6107969 responseStatus=200 OK token=usXe3BTP WARNING: ci-artifacts/[MASKED]/: lchown ci-artifacts/[MASKED]/: operation not permitted (suppressing repeats) Downloading artifacts for openscap-compliance (6107979)... Downloading artifacts from coordinator... ok  id=6107979 responseStatus=200 OK token=DZRKv-x9 WARNING: ci-artifacts/scan-results/openscap/: lchown ci-artifacts/scan-results/openscap/: operation not permitted (suppressing repeats) Downloading artifacts for twistlock-scan (6107980)... Downloading artifacts from coordinator... ok  id=6107980 responseStatus=200 OK token=urSexBgT WARNING: ci-artifacts/scan-results/twistlock/: lchown ci-artifacts/scan-results/twistlock/: operation not permitted (suppressing repeats) Downloading artifacts for wl-compare-lint (6107973)... Downloading artifacts from coordinator... ok  id=6107973 responseStatus=200 OK token=_BjbVyRA WARNING: ci-artifacts/lint/: lchown ci-artifacts/lint/: operation not permitted (suppressing repeats) section_end:1630417889:download_artifacts section_start:1630417889:step_script Executing "step_script" stage of the job script $ "${PIPELINE_REPO_DIR}/stages/vat/vat-run-api.sh" INFO: Log level set to info INFO: Gathering list of all justifications... INFO: API Response: {"imageName":"collaborationai/crowd-vector/appserver","imageTag":"21.35","vatUrl":"https://vat.dso.mil/vat/container/15819","accreditation":"Approved","containerState":"Under Review","findings":[{"identifier":"320a97c6816565eedf3545833df99dd0","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/su. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for su functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"3456a263793066e9b5063ada6e47917d","source":"anchore_comp","description":"SUID or SGID found set on file /usr/libexec/dbus-1/dbus-daemon-launch-helper. Mode: 0o104750\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for dbus-daemon-launch-helper functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"34de21e516c0ca50a96e5386f163f8bf","source":"anchore_comp","description":"SUID or SGID found set on file /usr/sbin/unix_chkpwd. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for unix_chkpwd functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"3e5fad1c039f3ecfd1dcdc94d2f1f9a0","source":"anchore_comp","description":"SUID or SGID found set on file /usr/libexec/utempter/utempter. Mode: 0o102711\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for utempter functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"463a9a24225c26f7a5bf3f38908e5cb3","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/newgrp. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for newgrp functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"639f6f1177735759703e928c14714a59","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/chage. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for chage functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"698044205a9c4a6d48b7937e66a6bf4f","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/mount. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for mount functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"abb121e9621abdd452f65844954cf1c1","source":"anchore_comp","description":"SUID or SGID found set on file /usr/sbin/pam_timestamp_check. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for pam_timestamp_check functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"addbb93c22e9b0988b8b40392a4538cb","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/write. Mode: 0o102755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for write functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"bcd159901fe47efddae5c095b4b0d7fd","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/passwd. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for passwd functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"c2e44319ae5b3b040044d8ae116d1c2f","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/gpasswd. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for gpasswd functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"c4ad80832b361f81df2a31e5b6b09864","source":"anchore_comp","description":"SUID or SGID found set on file /usr/sbin/userhelper. Mode: 0o104711\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for userhelper functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-80935-0","source":"oscap_comp","description":"Configure System Cryptography Policy","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. FIPS enablement requires the host node to have FIPS enabled at the kernel level which is inherited into the container.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-80938-4","source":"oscap_comp","description":"Configure OpenSSL library to use System Crypto Policy","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Manual check. /etc/pki/tls/openssl.cnf contains: [ crypto_policy ] .include /etc/crypto-policies/back-ends/openssl.config .include /etc/crypto-policies/back-ends/opensslcnf.config","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82168-6","source":"oscap_comp","description":"Log USBGuard daemon audit events using Linux Audit","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. USB device notifications do not apply to containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82214-8","source":"oscap_comp","description":"Install sudo Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2021-01-27T17:54:16.000Z","justification":"Sudo is not installed by default since most images are unprivileged and do not require any super user permissions. Removing the package removes the risk of any privilege escalation exploits within sudo.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-01-27T17:57:21.000Z","comment":"This finding is approved.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82220-5","source":"oscap_comp","description":"Install openscap-scanner Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository. SCAP scanning occurs during the build pipeline.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82267-6","source":"oscap_comp","description":"Configure dnf-automatic to Install Only Security Updates","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This performs automatic updates to installed packages which does not apply to immutable containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82360-9","source":"oscap_comp","description":"Enable dnf-automatic Timer","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This performs automatic updates to installed packages which does not apply to immutable containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82368-2","source":"oscap_comp","description":"Authorize Human Interface Devices and USB hubs in USBGuard daemon","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. USB device notifications do not apply to containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82395-5","source":"oscap_comp","description":"Ensure gnutls-utils is installed","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-13T21:13:21.000Z","justification":"Package not available in UBI repos. This package only contains command line TLS client and server and certificate manipulation tools.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2020-11-13T21:16:30.000Z","comment":"This finding is approved.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82472-2","source":"oscap_comp","description":"Set Existing Passwords Minimum Age","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Manual check. No users other than root exist.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82473-0","source":"oscap_comp","description":"Set Existing Passwords Maximum Age","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Manual check. No users other than root exist.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82474-8","source":"oscap_comp","description":"Assign Expiration Date to Temporary Accounts","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. No temporary accounts exist.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82494-6","source":"oscap_comp","description":"Configure dnf-automatic to Install Available Updates Automatically","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This performs automatic updates to installed packages which does not apply to immutable containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82880-6","source":"oscap_comp","description":"Configure session renegotiation for SSH client","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-02-03T18:36:51.000Z","justification":"Not applicable. openssh-clients is not installed in the base image by default.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-02-03T18:37:31.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-02-03T20:13:01.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82949-9","source":"oscap_comp","description":"Install scap-security-guide Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository. SCAP scanning occurs during the build pipeline.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82959-8","source":"oscap_comp","description":"Install usbguard Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository. USB device notifications do not apply to containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82979-6","source":"oscap_comp","description":"Install libcap-ng-utils Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82985-3","source":"oscap_comp","description":"Install dnf-automatic Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository. Package performs automatic updates to installed packages which does not apply to immutable containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-83401-0","source":"oscap_comp","description":"Enforce pam_faillock for Local Accounts Only","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-02-03T18:36:51.000Z","justification":"False positive. local_users_only is set in /etc/security/faillock.conf ","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-02-03T18:37:31.000Z","comment":"This finding was reviewed.","designator":"False Positive","falsePositive":true,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-02-03T20:13:02.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2018-25009","source":"anchore_cve","description":"A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability.","package":"libwebp-1.0.0-3.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 1.0.1 in June 2018. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2018-25009","source":"twistlock_cve","description":"A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability.","package":"libwebp-1.0.0-3.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 1.0.1 in June 2018. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:33.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2018-25010","source":"anchore_cve","description":"A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ApplyFilter. The highest threat from this vulnerability is to data confidentiality and to the service availability.","package":"libwebp-1.0.0-3.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 1.0.1 in June 2018. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2018-25010","source":"twistlock_cve","description":"A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ApplyFilter. The highest threat from this vulnerability is to data confidentiality and to the service availability.","package":"libwebp-1.0.0-3.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 1.0.1 in June 2018. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:33.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2018-25012","source":"anchore_cve","description":"A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability.","package":"libwebp-1.0.0-3.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 1.0.1 in June 2018. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2018-25012","source":"twistlock_cve","description":"A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function WebPMuxCreateInternal. The highest threat from this vulnerability is to data confidentiality and to the service availability.","package":"libwebp-1.0.0-3.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 1.0.1 in June 2018. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:33.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2018-25013","source":"anchore_cve","description":"A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ShiftBytes. The highest threat from this vulnerability is to data confidentiality and to the service availability.","package":"libwebp-1.0.0-3.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 1.0.1 in June 2018. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2018-25013","source":"twistlock_cve","description":"A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ShiftBytes. The highest threat from this vulnerability is to data confidentiality and to the service availability.","package":"libwebp-1.0.0-3.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 1.0.1 in June 2018. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:33.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2018-25014","source":"anchore_cve","description":"A flaw was found in libwebp in versions before 1.0.1. An unitialized variable is used in function ReadSymbol. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.","package":"libwebp-1.0.0-3.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 1.0.1 in June 2018. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2018-25014","source":"twistlock_cve","description":"A flaw was found in libwebp in versions before 1.0.1. An unitialized variable is used in function ReadSymbol. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.","package":"libwebp-1.0.0-3.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 1.0.1 in June 2018. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:33.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2019-20372","source":"anchore_cve","description":"NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.","package":"nginx-filesystem-1.14.1-9.module+el8.0.0+4108+af250afe","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:56.000Z","justification":"Installed as dependency on php:7.4/minimal","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:52.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2019-20372","source":"twistlock_cve","description":"NGINX before 1.17.7, with certain error_page configurations, allows HTTP request smuggling, as demonstrated by the ability of an attacker to read unauthorized web pages in environments where NGINX is being fronted by a load balancer.","package":"nginx-filesystem-1.14.1-9.module+el8.0.0+4108+af250afe","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:55.000Z","justification":"Installed as dependency of php:7.4/minimal, we are not using nginx at run time.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:51.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2019-20838","source":"anchore_cve","description":"libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than one fixed quantifier, a related issue to CVE-2019-20454.","package":"pcre-8.42-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched on 9/21/2018. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:02.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2019-20838","source":"twistlock_cve","description":"libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\\\X or \\\\R has more than one fixed quantifier, a related issue to CVE-2019-20454.","package":"pcre-8.42-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:28.000Z","justification":"Upstream patched on 9/21/2018. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2020-10001","source":"anchore_cve","description":"An input validation issue was addressed with improved memory handling. This issue is fixed in macOS Big Sur 11.1, Security Update 2020-001 Catalina, Security Update 2020-007 Mojave. A malicious application may be able to read restricted memory.","package":"cups-libs-2.2.6-38.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:55.000Z","justification":"Fixed in cups 2.3.3op2, not yet merged into Red Hat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:51.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-14155","source":"anchore_cve","description":"libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.","package":"pcre-8.42-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 8.44 on 2/10/2020. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:02.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2020-14155","source":"twistlock_cve","description":"libpcre in PCRE before 8.44 allows an integer overflow via a large number after a ","package":"pcre-8.42-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 8.44 on 2/10/2020. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2020-15389","source":"anchore_cve","description":"jp2/opj_decompress.c in OpenJPEG through 2.3.1 has a use-after-free that can be triggered if there is a mix of valid and invalid files in a directory operated on by the decompressor. Triggering a double-free may also be possible. This is related to calling opj_image_destroy twice.","package":"openjpeg2-2.3.1-6.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:56.000Z","justification":"open","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:52.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-16135","source":"anchore_cve","description":"libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.","package":"libssh-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Upstream has a patch but not released yet in June 2020. RH has no patch.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-16135","source":"twistlock_cve","description":"libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.","package":"libssh-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T15:13:07.000Z","justification":"Upstream has a patch but not released yet in June 2020. RH has no patch.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T15:13:50.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T15:25:13.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2020-16135","source":"anchore_cve","description":"libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.","package":"libssh-config-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Upstream has a patch but not released yet in June 2020. RH has no patch.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-17541","source":"anchore_cve","description":"Libjpeg-turbo all version have a stack-based buffer overflow in the \"transform\" component. A remote attacker can send a malformed jpeg file to the service and cause arbitrary code execution or denial of service of the target service.","package":"libjpeg-turbo-1.5.3-10.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 2.0.4 on 12/5/2019. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-17541","source":"twistlock_cve","description":"Libjpeg-turbo all version have a stack-based buffer overflow in the \\\"transform\\\" component. A remote attacker can send a malformed jpeg file to the service and cause arbitrary code execution or denial of service of the target service.","package":"libjpeg-turbo-1.5.3-10.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 2.0.4 on 12/5/2019. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:33.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-18032","source":"anchore_cve","description":"Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the \"lib/common/shapes.c\" component.","package":"graphviz-2.40.1-40.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 2.46.0 on 7/25/2020. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-18032","source":"twistlock_cve","description":"Buffer Overflow in Graphviz Graph Visualization Tools from commit ID f8b9e035 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) by loading a crafted file into the \\\"lib/common/shapes.c\\\" component.","package":"graphviz-2.40.1-40.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 2.46.0 on 7/25/2020. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:33.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-24370","source":"anchore_cve","description":"ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).","package":"lua-libs-5.3.4-11.el8","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Published 2020-07-23. Fix available upstream in lua master branch 2020-07-27. Red Hat has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-24870","source":"anchore_cve","description":"Libraw before 0.20.1 has a stack buffer overflow via LibRaw::identify_process_dng_fields in identify.cpp.","package":"LibRaw-0.19.5-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:56.000Z","justification":"Fixed upstream in LibRaw 0.20.1, not yet merged into Red Hat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:52.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-24870","source":"twistlock_cve","description":"Libraw before 0.20.1 has a stack buffer overflow via LibRaw::identify_process_dng_fields in identify.cpp.","package":"LibRaw-0.19.5-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 0.20.1on 8/19/2020. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:33.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-27814","source":"anchore_cve","description":"A heap-buffer overflow was found in the way openjpeg2 handled certain PNG format files. An attacker could use this flaw to cause an application crash or in some cases execute arbitrary code with the permission of the user running such an application.","package":"openjpeg2-2.3.1-6.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:56.000Z","justification":"Fixed upstream in openjpeg2.4.0. Not merged to Redhat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:52.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-27814","source":"twistlock_cve","description":"A heap-buffer overflow was found in the way openjpeg2 handled certain PNG format files. An attacker could use this flaw to cause an application crash or in some cases execute arbitrary code with the permission of the user running such an application.","package":"openjpeg2-2.3.1-6.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:55.000Z","justification":"Fixed upstream in openjpeg 2.4.0. Not yet merged into Red Hat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:51.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-27823","source":"anchore_cve","description":"A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.","package":"openjpeg2-2.3.1-6.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T15:45:11.000Z","justification":"Patched upstream in version 2.4.0 on 12/28/20. RH has not patched.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-04-14T15:52:47.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:53.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-27823","source":"twistlock_cve","description":"A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.","package":"openjpeg2-2.3.1-6.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-21T15:05:11.000Z","justification":"The bug has been fixed in openjpeg 2.4.0, but hasn't been merged into Red Hat rpm","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-21T15:06:19.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-25T16:32:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2020-27824","source":"anchore_cve","description":"A flaw was found in OpenJPEG’s encoder in the opj_dwt_calc_explicit_stepsizes() function. This flaw allows an attacker who can supply crafted input to decomposition levels to cause a buffer overflow. The highest threat from this vulnerability is to system availability.","package":"openjpeg2-2.3.1-6.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T15:45:11.000Z","justification":"Patched upstream in version 2.4.0 on 12/28/20. RH has not patched.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-04-14T15:52:47.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:53.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-27824","source":"twistlock_cve","description":"A flaw was found in OpenJPEG’s encoder in the opj_dwt_calc_explicit_stepsizes() function. This flaw allows an attacker who can supply crafted input to decomposition levels to cause a buffer overflow. The highest threat from this vulnerability is to system availability.","package":"openjpeg2-2.3.1-6.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 2.4.0 on 12/1/2020. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:33.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-27828","source":"anchore_cve","description":"There's a flaw in jasper's jpc encoder in versions prior to 2.0.23. Crafted input provided to jasper by an attacker could cause an arbitrary out-of-bounds write. This could potentially affect data confidentiality, integrity, or application availability.","package":"jasper-libs-2.0.14-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:55.000Z","justification":"Fixed upstream in jasper 2.0.23, not yet merged into Red Hat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:51.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-27842","source":"anchore_cve","description":"There's a flaw in openjpeg's t2 encoder in versions prior to 2.4.0. An attacker who is able to provide crafted input to be processed by openjpeg could cause a null pointer dereference. The highest impact of this flaw is to application availability.","package":"openjpeg2-2.3.1-6.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:56.000Z","justification":"Fixed upstream in openjpeg2.4.0. Not merged to Redhat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:53.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-27842","source":"twistlock_cve","description":"There\\'s a flaw in openjpeg\\'s t2 encoder in versions prior to 2.4.0. An attacker who is able to provide crafted input to be processed by openjpeg could cause a null pointer dereference. The highest impact of this flaw is to application availability.","package":"openjpeg2-2.3.1-6.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:55.000Z","justification":"Fixed upstream in openjpeg 2.4.0. Not yet merged into Red Hat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:51.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-27843","source":"anchore_cve","description":"A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw allows an attacker to provide specially crafted input to the conversion or encoding functionality, causing an out-of-bounds read. The highest threat from this vulnerability is system availability.","package":"openjpeg2-2.3.1-6.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:56.000Z","justification":"Fixed upstream in openjpeg2.4.0. Not merged to Redhat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:53.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-27843","source":"twistlock_cve","description":"A flaw was found in OpenJPEG in versions prior to 2.4.0. This flaw allows an attacker to provide specially crafted input to the conversion or encoding functionality, causing an out-of-bounds read. The highest threat from this vulnerability is system availability.","package":"openjpeg2-2.3.1-6.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:55.000Z","justification":"Fixed upstream in openjpeg 2.4.0. Not yet merged into Red Hat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:51.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-27845","source":"anchore_cve","description":"There's a flaw in src/lib/openjp2/pi.c of openjpeg in versions prior to 2.4.0. If an attacker is able to provide untrusted input to openjpeg's conversion/encoding functionality, they could cause an out-of-bounds read. The highest impact of this flaw is to application availability.","package":"openjpeg2-2.3.1-6.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:56.000Z","justification":"Fixed upstream in openjpeg2.4.0. Not merged to Redhat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:53.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-27845","source":"twistlock_cve","description":"There\\'s a flaw in src/lib/openjp2/pi.c of openjpeg in versions prior to 2.4.0. If an attacker is able to provide untrusted input to openjpeg\\'s conversion/encoding functionality, they could cause an out-of-bounds read. The highest impact of this flaw is to application availability.","package":"openjpeg2-2.3.1-6.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:55.000Z","justification":"Fixed upstream in openjpeg 2.4.0. Not yet merged into Red Hat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:51.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-35492","source":"anchore_cve","description":"A flaw was found in cairo's image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo's image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.","package":"cairo-1.15.12-3.el8","findingsState":"needs_justification"},{"identifier":"CVE-2020-35492","source":"twistlock_cve","description":"A flaw was found in cairo\\'s image-compositor.c in all versions prior to 1.17.4. This flaw allows an attacker who can provide a crafted input file to cairo\\'s image-compositor (for example, by convincing a user to open a file in an application using cairo, or if an application uses cairo on untrusted input) to cause a stack buffer overflow -> out-of-bounds WRITE. The highest impact from this vulnerability is to confidentiality, integrity, as well as system availability.","package":"cairo-1.15.12-3.el8","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-16T22:14:45.000Z","justification":"Patched upstream in version 1.17.4 on 11/27/2020. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-16T22:14:45.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-16T22:16:54.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2020-35521","source":"anchore_cve","description":"A flaw was found in libtiff. Due to a memory allocation failure in tif_read.c, a crafted TIFF file can lead to an abort, resulting in denial of service.","package":"libtiff-4.0.9-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:56.000Z","justification":"Fixed upstream in libtiff 4.2.0. Not yet merged into Redhat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:52.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-35521","source":"twistlock_cve","description":"A flaw was found in libtiff. Due to a memory allocation failure in tif_read.c, a crafted TIFF file can lead to an abort, resulting in denial of service.","package":"libtiff-4.0.9-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:55.000Z","justification":"Fixed upstream in libtiff 4.2.0. Not yet merged into Redhat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:51.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-35522","source":"anchore_cve","description":"In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.","package":"libtiff-4.0.9-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:56.000Z","justification":"Fixed upstream in libtiff 4.2.0. Not yet merged into Redhat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:52.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-35522","source":"twistlock_cve","description":"In LibTIFF, there is a memory malloc failure in tif_pixarlog.c. A crafted TIFF document can lead to an abort, resulting in a remote denial of service attack.","package":"libtiff-4.0.9-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:55.000Z","justification":"Fixed upstream in libtiff 4.2.0. Not yet merged into Redhat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:56.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:51.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-35523","source":"anchore_cve","description":"An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file. This flaw allows an attacker to inject and execute arbitrary code when a user opens a crafted TIFF file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.","package":"libtiff-4.0.9-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:56.000Z","justification":"Fixed upstream in libtiff 4.2.0. Not yet merged into Redhat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:52.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-35523","source":"twistlock_cve","description":"An integer overflow flaw was found in libtiff that exists in the tif_getimage.c file. This flaw allows an attacker to inject and execute arbitrary code when a user opens a crafted TIFF file. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.","package":"libtiff-4.0.9-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:55.000Z","justification":"Fixed upstream in libtiff 4.2.0. Not yet merged into Redhat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:51.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-35524","source":"anchore_cve","description":"A heap-based buffer overflow flaw was found in libtiff in the handling of TIFF images in libtiff's TIFF2PDF tool. A specially crafted TIFF file can lead to arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.","package":"libtiff-4.0.9-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:56.000Z","justification":"Fixed upstream in libtiff 4.2.0. Not yet merged into Redhat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:52.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-35524","source":"twistlock_cve","description":"A heap-based buffer overflow flaw was found in libtiff in the handling of TIFF images in libtiff\\'s TIFF2PDF tool. A specially crafted TIFF file can lead to arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.","package":"libtiff-4.0.9-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:55.000Z","justification":"Fixed upstream in libtiff 4.2.0. Not yet merged into Redhat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:51.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-36330","source":"anchore_cve","description":"A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to the service availability.","package":"libwebp-1.0.0-3.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 1.0.1 in June 2018. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-36330","source":"twistlock_cve","description":"A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkVerifyAndAssign. The highest threat from this vulnerability is to data confidentiality and to the service availability.","package":"libwebp-1.0.0-3.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 1.0.1 in June 2018. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:33.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-36331","source":"anchore_cve","description":"A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability.","package":"libwebp-1.0.0-3.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 1.0.1 in June 2018. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-36331","source":"twistlock_cve","description":"A flaw was found in libwebp in versions before 1.0.1. An out-of-bounds read was found in function ChunkAssignData. The highest threat from this vulnerability is to data confidentiality and to the service availability.","package":"libwebp-1.0.0-3.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 1.0.1 in June 2018. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-36332","source":"anchore_cve","description":"A flaw was found in libwebp in versions before 1.0.1. When reading a file libwebp allocates an excessive amount of memory. The highest threat from this vulnerability is to the service availability.","package":"libwebp-1.0.0-3.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 1.0.1 in June 2018. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-36332","source":"twistlock_cve","description":"A flaw was found in libwebp in versions before 1.0.1. When reading a file libwebp allocates an excessive amount of memory. The highest threat from this vulnerability is to the service availability.","package":"libwebp-1.0.0-3.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in version 1.0.1 in June 2018. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-20231","source":"anchore_cve","description":"A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.","package":"gnutls-3.6.14-8.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 3.7.1 on 1/29/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20231","source":"twistlock_cve","description":"A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.","package":"gnutls-3.6.14-8.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 3.7.1 on 1/29/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20232","source":"anchore_cve","description":"A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.","package":"gnutls-3.6.14-8.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 3.7.1 on 1/29/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20232","source":"twistlock_cve","description":"A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.","package":"gnutls-3.6.14-8.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 3.7.1 on 1/29/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"anchore_cve","description":"A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"anchore_cve","description":"A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"twistlock_cve","description":"A flaw was found in RPM\\'s hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"anchore_cve","description":"A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"anchore_cve","description":"A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22876","source":"anchore_cve","description":"curl 7.1.1 to and including 7.75.0 is vulnerable to an \"Exposure of Private Personal Information to an Unauthorized Actor\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream patched in version 7.76.0 on 3/28/2021. Redhat has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22876","source":"twistlock_cve","description":"curl 7.1.1 to and including 7.75.0 is vulnerable to an \\\"Exposure of Private Personal Information to an Unauthorized Actor\\\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream patched in version 7.76.0 on 3/28/2021. Redhat has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:16.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22876","source":"anchore_cve","description":"curl 7.1.1 to and including 7.75.0 is vulnerable to an \"Exposure of Private Personal Information to an Unauthorized Actor\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream patched in version 7.76.0 on 3/28/2021. Redhat has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22898","source":"anchore_cve","description":"curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-11T13:30:57.000Z","justification":"True positive. Patched upstream in version 7.77.0 on 5/26/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-11T13:31:32.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T13:32:17.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22898","source":"twistlock_cve","description":"curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-22T21:11:58.000Z","justification":"True positive. Patched upstream in version 7.77.0 on 5/26/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-22T21:14:01.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-22T21:14:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22898","source":"anchore_cve","description":"curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-11T13:30:57.000Z","justification":"True positive. Patched upstream in version 7.77.0 on 5/26/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-11T13:31:32.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T13:32:17.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22922","source":"anchore_cve","description":"When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22922","source":"twistlock_cve","description":"When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-06T03:48:05.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-06T13:28:55.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-06T13:31:49.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22922","source":"anchore_cve","description":"When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22923","source":"anchore_cve","description":"When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22923","source":"twistlock_cve","description":"When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user\\'s expectations and intentions and without telling the user it happened.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-06T03:48:05.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-06T13:28:55.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-06T13:31:49.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22923","source":"anchore_cve","description":"When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22924","source":"anchore_cve","description":"libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22924","source":"twistlock_cve","description":"libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take \\'issuercert\\' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn\\'t include the \\'issuer cert\\' which a transfer can setto qualify how to verify the server certificate.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-06T03:48:05.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-06T13:28:55.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-06T13:31:49.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22924","source":"anchore_cve","description":"libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22925","source":"anchore_cve","description":"curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22925","source":"twistlock_cve","description":"curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-16T21:12:09.000Z","justification":"Patched upstream in version 7.77.0 on 5/26/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-16T21:12:09.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-16T21:16:24.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22925","source":"anchore_cve","description":"curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-23017","source":"anchore_cve","description":"A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.","package":"nginx-filesystem-1.14.1-9.module+el8.0.0+4108+af250afe","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Installed as dependency of php:7.4/minimal, we are not using nginx at run time.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-23017","source":"twistlock_cve","description":"A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact.","package":"nginx-filesystem-1.14.1-9.module+el8.0.0+4108+af250afe","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Installed as dependency of php:7.4/minimal, we are not using nginx at run time.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:33.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-23840","source":"anchore_cve","description":"Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).","package":"openssl-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:20:25.000Z","justification":"Upstream patched in version 1.1.1j on 2/16/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:53.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-23840","source":"twistlock_cve","description":"Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).","package":"openssl-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:55.000Z","justification":"Upstream patched in version 1.1.1j on 2/16/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:51.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-23840","source":"anchore_cve","description":"Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).","package":"openssl-libs-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-03-31T17:41:15.000Z","justification":"Vendor patched in version 1.1.1j on 2/16/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-03-31T17:41:44.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-03-31T17:46:26.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-23841","source":"anchore_cve","description":"The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).","package":"openssl-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:20:25.000Z","justification":"Upstream patched in version 1.1.1j on 2/16/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:53.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-23841","source":"twistlock_cve","description":"The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).","package":"openssl-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:55.000Z","justification":"Upstream patched in version 1.1.1j on 2/16/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:51.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-23841","source":"anchore_cve","description":"The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).","package":"openssl-libs-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-03-31T17:41:15.000Z","justification":"Vendor patched in version 1.1.1j on 2/16/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-03-31T17:41:44.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-03-31T17:46:26.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-26926","source":"anchore_cve","description":"A flaw was found in jasper before 2.0.25. An out of bounds read issue was found in jp2_decode function whic may lead to disclosure of information or program crash.","package":"jasper-libs-2.0.14-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:55.000Z","justification":"Fixed upstream in jasper 2.0.25, not yet merged into Red Hat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:51.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-26927","source":"anchore_cve","description":"A flaw was found in jasper before 2.0.25. A null pointer dereference in jp2_decode in jp2_dec.c may lead to program crash and denial of service.","package":"jasper-libs-2.0.14-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:55.000Z","justification":"Fixed upstream in jasper 2.0.25, not yet merged into Red Hat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:52.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-27645","source":"anchore_cve","description":"The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-27645","source":"anchore_cve","description":"The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.","package":"glibc-common-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-27645","source":"anchore_cve","description":"The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.","package":"glibc-minimal-langpack-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-28153","source":"anchore_cve","description":"An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)","package":"glib2-2.56.4-10.el8_4.1","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-11T14:31:17.000Z","justification":"Upstream patched in version 2.67.6 on 3/10/21. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-11T14:31:17.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-11T14:31:51.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-28153","source":"twistlock_cve","description":"An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)","package":"glib2-2.56.4-10.el8_4.1","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-11T14:31:17.000Z","justification":"Upstream patched in version 2.67.6 on 3/10/21. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-11T14:31:17.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-11T14:31:51.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-29338","source":"anchore_cve","description":"Integer Overflow in OpenJPEG v2.4.0 allows remote attackers to crash the application, causing a Denial of Service (DoS). This occurs when the attacker uses the command line option \"-ImgDir\" on a directory that contains 1048576 files.","package":"openjpeg2-2.3.1-6.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-30T15:57:39.000Z","justification":"No patch available. https://bugzilla.redhat.com/show_bug.cgi?id=1950101","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-30T15:58:44.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-30T16:01:49.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-31535","source":"anchore_cve","description":"LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.","package":"libX11-1.6.8-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-21T15:05:11.000Z","justification":"Fixed upstream in libX11 1.7.1, Not yet merged into Red Hat RPM","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-21T15:06:19.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-26T01:12:38.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-31535","source":"twistlock_cve","description":"LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.","package":"libX11-1.6.8-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"Fixed upstream in libX11 1.7.1, Not yet merged into Red Hat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:33.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-31535","source":"anchore_cve","description":"LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session.","package":"libX11-common-1.6.8-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-21T15:05:11.000Z","justification":"Fixed upstream in libX11 1.7.1, Not yet merged into Red Hat RPM","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-21T15:06:19.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-26T01:12:38.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-3200","source":"anchore_cve","description":"Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service","package":"libsolv-0.7.16-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-02T00:31:56.000Z","justification":"True Positive. Published 2020-12-20. No patch available in UBI.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-02T13:10:21.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-02T13:18:42.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3200","source":"twistlock_cve","description":"Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read","package":"libsolv-0.7.16-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-02T13:34:08.000Z","justification":"True Positive. Published 2020-12-20. No patch available in UBI.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-02T13:34:26.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-02T13:35:21.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3272","source":"anchore_cve","description":"jp2_decode in jp2/jp2_dec.c in libjasper in JasPer 2.0.24 has a heap-based buffer over-read when there is an invalid relationship between the number of channels and the number of image components.","package":"jasper-libs-2.0.14-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T14:06:55.000Z","justification":"Fixed upstream in jasper 2.0.25, not yet merged into Red Hat RPM","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T14:23:57.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-20T11:26:52.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-33560","source":"anchore_cve","description":"Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.","package":"libgcrypt-1.8.5-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-16T13:44:47.000Z","justification":"Upstream patched on 5/26/21 in version 1.8.8. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-16T13:52:32.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-16T13:54:01.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33560","source":"twistlock_cve","description":"Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.","package":"libgcrypt-1.8.5-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-14T13:18:27.000Z","justification":"Upstream patched on 5/26/21 in version 1.8.8. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-14T13:19:43.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-14T13:20:42.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"anchore_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T18:03:07.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T18:03:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T18:13:50.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"twistlock_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-02T13:31:07.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-02T13:34:26.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-02T13:35:21.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"anchore_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-common-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T18:03:07.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T18:03:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T18:13:50.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"anchore_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-minimal-langpack-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T18:03:07.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T18:03:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T18:13:50.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"twistlock_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3426","source":"anchore_cve","description":"There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.","package":"platform-python-3.6.8-37.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:10.000Z","justification":"No upstream fix is available.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3426","source":"anchore_cve","description":"There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.","package":"python3-libs-3.6.8-37.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:10.000Z","justification":"No upstream fix is available.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:13.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3445","source":"anchore_cve","description":"A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"libdnf-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3445","source":"twistlock_cve","description":"A flaw was found in libdnf\\'s signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"libdnf-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T18:16:40.000Z","justification":"Patched upstream in version 0.60.1 on 4/12/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T18:17:14.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T18:19:19.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3445","source":"anchore_cve","description":"A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"python3-hawkey-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3445","source":"anchore_cve","description":"A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"python3-libdnf-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:13.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3572","source":"anchore_cve","description":"none","package":"python3-pip-wheel-9.0.3-19.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T15:13:07.000Z","justification":"Upstream patched in version 21.1. Red Hat has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T15:13:50.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T15:25:13.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3575","source":"anchore_cve","description":"none","package":"openjpeg2-2.3.1-6.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"No fix available","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-3580","source":"anchore_cve","description":"A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.","package":"nettle-3.4.1-4.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-08T18:20:21.000Z","justification":"Patched upstream in version 3.7.3 on 5/17/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-08T18:20:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-08T18:21:50.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3580","source":"twistlock_cve","description":"A flaw was found in the way nettle\\'s RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.","package":"nettle-3.4.1-4.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-06T03:48:05.000Z","justification":"Patched upstream in version 3.7.3 on 5/17/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-06T13:28:55.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-06T13:31:49.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"anchore_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-07T01:05:57.000Z","justification":"Will be patched upstream in version 2.34 around August 1st. No patch available now.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-07T01:06:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-07T01:13:46.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"twistlock_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-23T15:50:48.000Z","justification":"Upstream patched in version 2.34 which is scheduled to be released on 8/1/21. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-23T18:06:10.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-23T18:09:07.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"anchore_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-common-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-07T01:05:57.000Z","justification":"Will be patched upstream in version 2.34 around August 1st. No patch available now.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-07T01:06:35.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-07T01:13:46.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"anchore_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-minimal-langpack-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-07T01:05:57.000Z","justification":"Will be patched upstream in version 2.34 around August 1st. No patch available now.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-07T01:06:35.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-07T01:13:46.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3605","source":"anchore_cve","description":"There's a flaw in OpenEXR's rleUncompress functionality in versions prior to 3.0.5. An attacker who is able to submit a crafted file to an application linked with OpenEXR could cause an out-of-bounds read. The greatest risk from this flaw is to application availability.","package":"OpenEXR-libs-2.2.0-12.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-29T21:43:35.000Z","justification":"RH will not fix.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-29T21:44:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T18:22:11.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-36084","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T12:55:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-21T13:00:39.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T13:07:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36084","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T18:18:22.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T18:20:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T18:20:45.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36085","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T12:55:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-21T13:00:39.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T13:07:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36085","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T18:18:22.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T18:20:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T18:20:45.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36086","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T12:55:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-21T13:00:39.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T13:07:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36086","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T18:18:22.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T18:20:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T18:20:45.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36087","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T12:55:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-21T13:00:39.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T13:07:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36087","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T18:18:22.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T18:20:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T18:20:45.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36222","source":"anchore_cve","description":"ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.","package":"krb5-libs-1.18.2-8.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-20T13:36:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-20T13:44:32.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-20T13:45:06.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3634","source":"anchore_cve","description":"none","package":"libssh-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-26T20:37:35.000Z","justification":"Reported 7/2/21. RedHat has not patched. ","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-26T20:37:35.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-26T20:38:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3634","source":"anchore_cve","description":"none","package":"libssh-config-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-26T20:37:35.000Z","justification":"Reported 7/2/21. RedHat has not patched. ","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-26T20:37:35.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-26T20:38:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3712","source":"anchore_cve","description":"ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).","package":"openssl-1.1.1g-15.el8_3","findingsState":"needs_justification"},{"identifier":"CVE-2021-3712","source":"twistlock_cve","description":"ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL\\'s own \\\"d2i\\\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \\\"data\\\" and \\\"length\\\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \\\"data\\\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints proc","package":"openssl-1.1.1g-15.el8_3","findingsState":"needs_justification"},{"identifier":"CVE-2021-3712","source":"anchore_cve","description":"ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).","package":"openssl-libs-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-25T17:22:33.000Z","justification":"Upstream submitted patches on 08/24/2021 to the 1.1.1 branch. No ETA on finalizing a new 1.1.1 release which contains these patches.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-25T17:39:52.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-25T17:40:38.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3737","source":"anchore_cve","description":"none","package":"platform-python-3.6.8-37.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-26T14:23:26.000Z","justification":"Patched upstream in version 3.6.14 on 6/28/21. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-26T14:23:38.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-26T14:24:02.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3737","source":"anchore_cve","description":"none","package":"python3-libs-3.6.8-37.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-26T14:23:26.000Z","justification":"Patched upstream in version 3.6.14 on 6/28/21. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-26T14:23:38.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-26T14:24:02.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-37750","source":"anchore_cve","description":"The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.","package":"krb5-libs-1.18.2-8.el8","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-27T13:49:53.000Z","justification":"Reported 8/23/21, fixed in krb 1.18.5. RedHat has not patched.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-27T13:49:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-27T13:50:39.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"e7573262736ef52353cde3bae2617782","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/umount. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for umount functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}}],"digest":"cf3fd0116e949808c4478aa3d0b5c3ae284f5c0bfc88577e9fea19426ea4d5fe"} INFO: POST Response: 201 section_end:1630417912:step_script section_start:1630417912:upload_artifacts_on_success Uploading artifacts for successful job Uploading artifacts... ci-artifacts/vat_request.json: found 1 matching files and directories Uploading artifacts as "archive" to coordinator... ok id=6107986 responseStatus=201 Created token=P8nREkFg section_end:1630417914:upload_artifacts_on_success section_start:1630417914:cleanup_file_variables Cleaning up file based variables section_end:1630417914:cleanup_file_variables Job succeeded