UNCLASSIFIED - NO CUI

chore(findings): crunchy-data/postgres/postgres

Summary

crunchy-data/postgres/postgres has 83 new findings discovered during continuous monitoring.

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=crunchy-data/postgres/postgres&tag=ubi8-15.12&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id source severity package impact workaround epss_score kev
CVE-2025-27607 Anchore CVE High python-json-logger-2.0.7 0.09297 false
CVE-2025-4207 Anchore CVE Medium postgresql-15.12 0.00326 false
CVE-2019-18874 Twistlock CVE High psutil-5.4.3 0.00134 false
CVE-2025-12817 Anchore CVE Low postgresql-15.12 0.00110 false
CVE-2025-12818 Anchore CVE Medium postgresql-15.12 0.00096 false
CVE-2025-8715 Anchore CVE High postgresql-15.12 0.00049 false
CVE-2026-2004 Anchore CVE High postgresql-15.12 0.00048 false
CVE-2026-2004 Twistlock CVE Low postgres-15.12 0.00048 false
CVE-2026-2006 Anchore CVE High postgresql-15.12 0.00040 false
CVE-2026-2006 Twistlock CVE Low postgres-15.12 0.00040 false
CVE-2025-8713 Anchore CVE Low postgresql-15.12 0.00033 false
CVE-2025-61726 Twistlock CVE High net/url-1.24.3 0.00032 false
CVE-2025-61726 Anchore CVE High stdlib-go1.24.3 0.00032 false
CVE-2026-25679 Twistlock CVE Low net/url-1.24.3 0.00031 false
CVE-2026-25679 Anchore CVE High stdlib-go1.24.3 0.00031 false
CVE-2025-66418 Twistlock CVE High urllib3-1.26.20 0.00029 false
CVE-2026-2005 Anchore CVE High postgresql-15.12 0.00028 false
CVE-2026-2005 Twistlock CVE Low postgres-15.12 0.00028 false
CVE-2025-8714 Anchore CVE High postgresql-15.12 0.00028 false
CVE-2025-61725 Anchore CVE High stdlib-go1.24.3 0.00028 false
CVE-2025-58186 Twistlock CVE Low net/http-1.24.3 0.00028 false
CVE-2025-58186 Anchore CVE Medium stdlib-go1.24.3 0.00028 false
CVE-2025-47906 Anchore CVE Medium stdlib-go1.24.3 0.00028 false
CVE-2026-21441 Twistlock CVE High urllib3-1.26.20 0.00027 false
CVE-2025-66471 Twistlock CVE High urllib3-1.26.20 0.00027 false
CVE-2025-61723 Twistlock CVE High encoding/pem-1.24.3 0.00027 false
CVE-2025-61723 Anchore CVE High stdlib-go1.24.3 0.00027 false
CVE-2025-50181 Twistlock CVE Medium urllib3-1.26.20 0.00026 false
CVE-2025-22874 Twistlock CVE Low crypto/x509-1.24.3 0.00025 false
CVE-2025-22874 Anchore CVE High stdlib-go1.24.3 0.00025 false
CVE-2025-58185 Twistlock CVE Medium encoding/asn1-1.24.3 0.00023 false
CVE-2025-58185 Anchore CVE Medium stdlib-go1.24.3 0.00023 false
CVE-2025-61729 Twistlock CVE High crypto/x509-1.24.3 0.00022 false
CVE-2025-61729 Anchore CVE High stdlib-go1.24.3 0.00022 false
CVE-2025-61728 Anchore CVE Medium stdlib-go1.24.3 0.00022 false
CVE-2025-47912 Twistlock CVE Medium net/url-1.24.3 0.00022 false
CVE-2025-47912 Anchore CVE Medium stdlib-go1.24.3 0.00022 false
CVE-2025-4673 Anchore CVE Medium stdlib-go1.24.3 0.00021 false
CVE-2026-2003 Anchore CVE Medium postgresql-15.12 0.00019 false
CVE-2026-2003 Twistlock CVE Low postgres-15.12 0.00019 false
CVE-2025-68121 Twistlock CVE Critical crypto/tls-1.24.3 0.00017 false
CVE-2025-68121 Anchore CVE Critical stdlib-go1.24.3 0.00017 false
CVE-2025-61724 Anchore CVE Medium stdlib-go1.24.3 0.00016 false
CVE-2025-61724 Twistlock CVE Medium net/textproto-1.24.3 0.00016 false
CVE-2024-5569 Twistlock CVE Medium zipp-3.6.0 0.00016 false
CVE-2025-58190 Anchore CVE Medium golang.org/x/net-v0.33.0 0.00015 false
CVE-2025-58187 Twistlock CVE High crypto/x509-1.24.3 0.00013 false
CVE-2025-58187 Anchore CVE High stdlib-go1.24.3 0.00013 false
CVE-2025-47911 Anchore CVE Medium golang.org/x/net-v0.33.0 0.00013 false
CVE-2025-58183 Anchore CVE Medium stdlib-go1.24.3 0.00012 false
CVE-2025-47907 Anchore CVE High stdlib-go1.24.3 0.00012 false
CVE-2025-47907 Twistlock CVE High database/sql-1.24.3 0.00012 false
CVE-2026-27142 Twistlock CVE Low html/template-1.24.3 0.00011 false
CVE-2026-27142 Anchore CVE Medium stdlib-go1.24.3 0.00011 false
CVE-2025-61727 Twistlock CVE Medium crypto/x509-1.24.3 0.00011 false
CVE-2025-61727 Anchore CVE Medium stdlib-go1.24.3 0.00011 false
CVE-2025-61731 Anchore CVE High stdlib-go1.24.3 0.00009 false
CVE-2025-58189 Twistlock CVE Medium crypto/tls-1.24.3 0.00009 false
CVE-2025-58189 Anchore CVE Medium stdlib-go1.24.3 0.00009 false
CVE-2025-61730 Twistlock CVE Medium crypto/tls-1.24.3 0.00008 false
CVE-2025-61730 Anchore CVE Medium stdlib-go1.24.3 0.00008 false
CVE-2025-61732 Anchore CVE High stdlib-go1.24.3 0.00006 false
CVE-2025-58188 Twistlock CVE High crypto/x509-1.24.3 0.00006 false
CVE-2025-58188 Anchore CVE High stdlib-go1.24.3 0.00006 false
CVE-2026-27139 Twistlock CVE Low os-1.24.3 0.00005 false
CVE-2026-27139 Anchore CVE Low stdlib-go1.24.3 0.00005 false
CVE-2025-4674 Anchore CVE High stdlib-go1.24.3 0.00005 false
addbb93c22e9b0988b8b40392a4538cb Anchore Compliance Low N/A N/A
GHSA-vvgc-356p-c3xw Anchore CVE Medium golang.org/x/net-v0.33.0 N/A N/A
GHSA-qxp5-gwg8-xv66 Anchore CVE Medium golang.org/x/net-v0.33.0 N/A N/A
GHSA-qfc5-mcwq-26q8 Anchore CVE High psutil-5.4.3 N/A N/A
GHSA-pq67-6m6q-mj2v Anchore CVE Medium urllib3-1.26.20 N/A N/A
GHSA-jfmj-5v4g-7637 Anchore CVE Medium zipp-3.6.0 N/A N/A
GHSA-j5w8-q4qc-rx2x Anchore CVE Medium golang.org/x/crypto-v0.32.0 N/A N/A
GHSA-hcg3-q754-cr77 Anchore CVE High golang.org/x/crypto-v0.32.0 N/A N/A
GHSA-gm62-xv2j-4w53 Anchore CVE High urllib3-1.26.20 N/A N/A
GHSA-f6x5-jh6r-wrfv Anchore CVE Medium golang.org/x/crypto-v0.32.0 N/A N/A
GHSA-6v2p-p543-phr9 Anchore CVE High golang.org/x/oauth2-v0.24.0 N/A N/A
GHSA-38jv-5279-wg99 Anchore CVE High urllib3-1.26.20 N/A N/A
GHSA-2xpw-w6gg-jr37 Anchore CVE High urllib3-1.26.20 N/A N/A
CCE-86523-8 OSCAP Compliance Medium N/A N/A
CCE-80807-1 OSCAP Compliance Medium N/A N/A
1f30ea26e72deadb81b0914bc42c2a8d Anchore Compliance Critical N/A N/A

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=crunchy-data/postgres/postgres&tag=ubi8-15.12&branch=master

Tasks

Contributor:

  • Apply the StatusReview label to this issue for a merge request review and wait for feedback

OR

  • Provide justifications for findings in the VAT (docs)
  • Apply the StatusVerification label to this issue for a VAT justifications review and wait for feedback

Iron Bank:

  • Review findings and justifications

Note: If the above process is rejected for any reason, the Review or Verification label will be removed and the issue will be sent back to To-Do. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Review or Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited by CHORE_TOKEN

UNCLASSIFIED - NO CUI