chore(findings): gitlab/gitlab/kubectl

Summary

gitlab/gitlab/kubectl has 61 new findings discovered during continuous monitoring.

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=gitlab/gitlab/kubectl&tag=18.3.1&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id	source	severity	package	epss_score	kev
CVE-2024-56433	Anchore CVE	Low	shadow-utils-2:4.9-12.el9	0.02806	false
CVE-2024-41996	Twistlock CVE	Low	openssl-3.2.2-6.el9_5.1	0.00166	false
CVE-2024-41996	Anchore CVE	Low	openssl-libs-1:3.2.2-6.el9_5.1	0.00166	false
CVE-2024-41996	Anchore CVE	Low	openssl-1:3.2.2-6.el9_5.1	0.00166	false
CVE-2024-13176	Twistlock CVE	Low	openssl-3.2.2-6.el9_5.1	0.00080	false
CVE-2024-13176	Anchore CVE	Low	openssl-1:3.2.2-6.el9_5.1	0.00080	false
CVE-2024-13176	Anchore CVE	Low	openssl-libs-1:3.2.2-6.el9_5.1	0.00080	false
CVE-2025-47907	Anchore CVE	High	stdlib-go1.24.4	0.00054	false
CVE-2025-47907	Anchore CVE	High	stdlib-go1.24.5	0.00054	false
CVE-2025-1767	Twistlock CVE	Medium	k8s.io/kubernetes-v1.33.3	0.00051	false
CVE-2025-4598	Twistlock CVE	Medium	systemd-252-51.el9_6.1	0.00037	false
CVE-2025-4598	Anchore CVE	Medium	systemd-libs-252-51.el9_6.1	0.00037	false
CVE-2025-32728	Twistlock CVE	Medium	openssh-8.7p1-45.el9	0.00033	false
CVE-2025-32728	Anchore CVE	Medium	openssh-8.7p1-45.el9	0.00033	false
CVE-2023-4156	Twistlock CVE	Low	gawk-5.1.0-6.el9	0.00031	false
CVE-2023-4156	Anchore CVE	Low	gawk-5.1.0-6.el9	0.00031	false
CVE-2025-8941	Twistlock CVE	High	pam-1.5.1-25.el9_6	0.00023	false
CVE-2025-8941	Anchore CVE	High	pam-1.5.1-25.el9_6	0.00023	false
CVE-2025-5187	Twistlock CVE	Medium	k8s.io/kubernetes-v1.33.3	0.00015	false
CVE-2025-4674	Anchore CVE	High	stdlib-go1.24.4	0.00006	false
CVE-2024-7598	Twistlock CVE	Low	k8s.io/kubernetes-v1.33.3	0.00006	false
CVE-2023-51767	Twistlock CVE	Medium	openssh-8.7p1-45.el9	0.00005	false
CVE-2023-51767	Anchore CVE	Medium	openssh-8.7p1-45.el9	0.00005	false
e7573262736ef52353cde3bae2617782	Anchore Compliance	Low		N/A	N/A
c2e44319ae5b3b040044d8ae116d1c2f	Anchore Compliance	Low		N/A	N/A
addbb93c22e9b0988b8b40392a4538cb	Anchore Compliance	Low		N/A	N/A
abb121e9621abdd452f65844954cf1c1	Anchore Compliance	Low		N/A	N/A
GHSA-4x4m-3c2p-qppc	Anchore CVE	Medium	k8s.io/kubernetes-v1.33.3	N/A	N/A
CCE-90828-5	OSCAP Compliance	Medium		N/A	N/A
CCE-88413-0	OSCAP Compliance	Medium		N/A	N/A
CCE-87721-7	OSCAP Compliance	Medium		N/A	N/A
CCE-86356-3	OSCAP Compliance	Medium		N/A	N/A
CCE-86100-5	OSCAP Compliance	Medium		N/A	N/A
CCE-86068-4	OSCAP Compliance	Medium		N/A	N/A
CCE-83647-8	OSCAP Compliance	Medium		N/A	N/A
CCE-83641-1	OSCAP Compliance	Low		N/A	N/A
CCE-83635-3	OSCAP Compliance	Medium		N/A	N/A
CCE-83627-0	OSCAP Compliance	Medium		N/A	N/A
CCE-83621-3	OSCAP Compliance	Medium		N/A	N/A
CCE-83615-5	OSCAP Compliance	Medium		N/A	N/A
CCE-83610-6	OSCAP Compliance	Medium		N/A	N/A
CCE-83606-4	OSCAP Compliance	Medium		N/A	N/A
CCE-83589-2	OSCAP Compliance	Medium		N/A	N/A
CCE-83588-4	OSCAP Compliance	Medium		N/A	N/A
CCE-83587-6	OSCAP Compliance	Medium		N/A	N/A
CCE-83583-5	OSCAP Compliance	Medium		N/A	N/A
CCE-83579-3	OSCAP Compliance	Medium		N/A	N/A
CCE-83575-1	OSCAP Compliance	Medium		N/A	N/A
CCE-83570-2	OSCAP Compliance	Medium		N/A	N/A
CCE-83568-6	OSCAP Compliance	Medium		N/A	N/A
CCE-83567-8	OSCAP Compliance	Medium		N/A	N/A
CCE-83566-0	OSCAP Compliance	Medium		N/A	N/A
CCE-83565-2	OSCAP Compliance	Medium		N/A	N/A
CCE-83564-5	OSCAP Compliance	Medium		N/A	N/A
CCE-83563-7	OSCAP Compliance	Medium		N/A	N/A
698044205a9c4a6d48b7937e66a6bf4f	Anchore Compliance	Low		N/A	N/A
639f6f1177735759703e928c14714a59	Anchore Compliance	Low		N/A	N/A
463a9a24225c26f7a5bf3f38908e5cb3	Anchore Compliance	Low		N/A	N/A
3e5fad1c039f3ecfd1dcdc94d2f1f9a0	Anchore Compliance	Low		N/A	N/A
34de21e516c0ca50a96e5386f163f8bf	Anchore Compliance	Low		N/A	N/A
320a97c6816565eedf3545833df99dd0	Anchore Compliance	Low		N/A	N/A

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=gitlab/gitlab/kubectl&tag=18.3.1&branch=master

Tasks

Contributor:

Provide justifications for findings in the VAT (docs)
Apply the StatusVerification label to this issue and wait for feedback

Iron Bank:

Review findings and justifications

Note: If the above process is rejected for any reason, the Verification label will be removed and the issue will be sent back to Open. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited Sep 03, 2025 by CHORE_TOKEN

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

chore(findings): gitlab/gitlab/kubectl

Summary

Tasks

Questions?