chore(findings): gitlab/gitlab/gitlab-toolbox
Summary
gitlab/gitlab/gitlab-toolbox has 65 new findings discovered during continuous monitoring.
Layer: redhat/ubi/ubi9-micro:9.6 is EOL, please update if possible
More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=gitlab/gitlab/gitlab-toolbox&tag=18.6.2&branch=master
EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.
KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.
| id | source | severity | package | impact | workaround | epss_score | kev |
|---|---|---|---|---|---|---|---|
| CVE-2024-12797 | Twistlock CVE | Low | cryptography-43.0.3 | 0.01231 | false | ||
| CVE-2024-41996 | Anchore CVE | Low | openssl-1:3.5.1-4.el9_7 | 0.00690 | false | ||
| CVE-2025-8194 | Anchore CVE | High | python-3.9.23 | 0.00223 | false | ||
| CVE-2025-8194 | Anchore CVE | High | python-3.9.23 | 0.00223 | false | ||
| CVE-2024-5642 | Anchore CVE | Medium | python-3.9.23 | 0.00187 | false | ||
| CVE-2024-5642 | Anchore CVE | Medium | python-3.9.23 | 0.00187 | false | ||
| CVE-2025-6069 | Anchore CVE | Medium | python-3.9.23 | 0.00163 | false | ||
| CVE-2025-6069 | Anchore CVE | Medium | python-3.9.23 | 0.00163 | false | ||
| CVE-2024-13176 | Anchore CVE | Low | openssl-1:3.5.1-4.el9_7 | 0.00123 | false | ||
| CVE-2025-8291 | Anchore CVE | Medium | python-3.9.23 | 0.00113 | false | ||
| CVE-2025-8291 | Anchore CVE | Medium | python-3.9.23 | 0.00113 | false | ||
| CVE-2025-13836 | Anchore CVE | Medium | python-3.9.23 | 0.00066 | false | ||
| CVE-2025-13836 | Anchore CVE | Medium | python-3.9.23 | 0.00066 | false | ||
| CVE-2025-12084 | Anchore CVE | Medium | python-3.9.23 | 0.00060 | false | ||
| CVE-2025-12084 | Anchore CVE | Medium | python-3.9.23 | 0.00060 | false | ||
| CVE-2025-58185 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00033 | false | ||
| CVE-2025-58185 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00033 | false | ||
| CVE-2025-9403 | Twistlock CVE | Low | jq-1.6-19.el9 | 0.00031 | false | ||
| CVE-2025-9403 | Anchore CVE | Low | jq-1.6-19.el9 | 0.00031 | false | ||
| CVE-2025-58186 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00029 | false | ||
| CVE-2025-58186 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00029 | false | ||
| CVE-2025-9232 | Anchore CVE | Low | openssl-1:3.5.1-4.el9_7 | 0.00027 | false | ||
| CVE-2025-61725 | Anchore CVE | High | stdlib-go1.24.6 | 0.00026 | false | ||
| CVE-2025-61725 | Anchore CVE | High | stdlib-go1.24.6 | 0.00026 | false | ||
| CVE-2025-61723 | Anchore CVE | High | stdlib-go1.24.6 | 0.00026 | false | ||
| CVE-2025-61723 | Anchore CVE | High | stdlib-go1.24.6 | 0.00026 | false | ||
| CVE-2025-61724 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00025 | false | ||
| CVE-2025-61724 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00025 | false | ||
| CVE-2025-47912 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00025 | false | ||
| CVE-2025-47912 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00025 | false | ||
| CVE-2025-61727 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00021 | false | ||
| CVE-2025-61727 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00021 | false | ||
| CVE-2025-58189 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00019 | false | ||
| CVE-2025-58189 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00019 | false | ||
| CVE-2025-66471 | Twistlock CVE | High | urllib3-1.26.20 | As of 20251212, we have received no reports of active exploitation in the wild. Users would need to stream compressed content from untrusted sources. | 0.00018 | false | |
| CVE-2025-66418 | Twistlock CVE | High | urllib3-1.26.20 | As of 20251212, we have received no reports of active exploitation in the wild. Users would need to make requests to untrusted sources. | Use preloadcontentFalse and ensure that resp.headerscontentencoding contains a safe number of encodings before reading the response content. | 0.00018 | false |
| CVE-2025-13837 | Anchore CVE | Low | python-3.9.23 | 0.00018 | false | ||
| CVE-2025-13837 | Anchore CVE | Low | python-3.9.23 | 0.00018 | false | ||
| CVE-2025-6075 | Anchore CVE | Low | python-3.9.23 | 0.00017 | false | ||
| CVE-2025-6075 | Anchore CVE | Low | python-3.9.23 | 0.00017 | false | ||
| CVE-2025-61729 | Anchore CVE | High | stdlib-go1.24.6 | 0.00016 | false | ||
| CVE-2025-61729 | Anchore CVE | High | stdlib-go1.24.6 | 0.00016 | false | ||
| CVE-2025-58187 | Anchore CVE | High | stdlib-go1.24.6 | 0.00015 | false | ||
| CVE-2025-58187 | Anchore CVE | High | stdlib-go1.24.6 | 0.00015 | false | ||
| CVE-2025-50181 | Twistlock CVE | Medium | urllib3-1.26.20 | Most users dont disable redirects on the PoolManager. | Set redirectsFalseredirects0 on the .request call instead of on the toplevel urllib3.PoolManager | 0.00015 | false |
| CVE-2025-58188 | Anchore CVE | High | stdlib-go1.24.6 | 0.00014 | false | ||
| CVE-2025-58188 | Anchore CVE | High | stdlib-go1.24.6 | 0.00014 | false | ||
| CVE-2025-58183 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00014 | false | ||
| CVE-2025-58183 | Anchore CVE | Medium | stdlib-go1.24.6 | 0.00014 | false | ||
| d26831fbaf0c55e1ea12822b5a601d59 | Anchore Compliance | Critical | N/A | N/A | |||
| b07fb9a6041803c3a5b9f770a4ddad88 | Anchore Compliance | Critical | N/A | N/A | |||
| GHSA-pq67-6m6q-mj2v | Anchore CVE | Medium | urllib3-1.26.20 | N/A | N/A | ||
| GHSA-j5w8-q4qc-rx2x | Anchore CVE | Medium | golang.org/x/crypto-v0.40.0 | N/A | N/A | ||
| GHSA-j5w8-q4qc-rx2x | Anchore CVE | Medium | golang.org/x/crypto-v0.42.0 | N/A | N/A | ||
| GHSA-gm62-xv2j-4w53 | Anchore CVE | High | urllib3-1.26.20 | N/A | N/A | ||
| GHSA-f6x5-jh6r-wrfv | Anchore CVE | Medium | golang.org/x/crypto-v0.40.0 | N/A | N/A | ||
| GHSA-f6x5-jh6r-wrfv | Anchore CVE | Medium | golang.org/x/crypto-v0.42.0 | N/A | N/A | ||
| GHSA-79v4-65xg-pq4g | Anchore CVE | Low | cryptography-43.0.3 | N/A | N/A | ||
| GHSA-2xpw-w6gg-jr37 | Anchore CVE | High | urllib3-1.26.20 | N/A | N/A | ||
| CCE-83911-8 | OSCAP Compliance | Medium | N/A | N/A | |||
| CCE-83909-2 | OSCAP Compliance | Medium | N/A | N/A | |||
| 87306eece977d8b1218595f00e523972 | Anchore Compliance | Critical | N/A | N/A | |||
| 4ddc8c868c18b2acd45cb151b588cd79 | Anchore Compliance | Critical | N/A | N/A | |||
| 4a8742652dc412083dfb30962fc9d07c | Anchore Compliance | Critical | N/A | N/A | |||
| 166a6dc400cf9f68e274967f656d8984 | Anchore Compliance | Critical | N/A | N/A |
More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=gitlab/gitlab/gitlab-toolbox&tag=18.6.2&branch=master
Tasks
Contributor:
-
Apply the StatusReview label to this issue for a merge request reviewand wait for feedback
OR
-
Provide justifications for findings in the VAT (docs) -
Apply the StatusVerification label to this issue for a VAT justifications reviewand wait for feedback
Iron Bank:
-
Review findings and justifications
Note: If the above process is rejected for any reason, the
RevieworVerificationlabel will be removed and the issue will be sent back toTo-Do. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add theRevieworVerificationlabel.
Questions?
Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.
Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.
Edited by CHORE_TOKEN