UNCLASSIFIED - NO CUI

chore(findings): gitlab/gitlab/kubectl

Summary

gitlab/gitlab/kubectl has 80 new findings discovered during continuous monitoring.

Layer: redhat/ubi/ubi9-micro:9.6 is EOL, please update if possible

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=gitlab/gitlab/kubectl&tag=18.6.2&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id source severity package impact workaround epss_score kev
CVE-2024-41996 Twistlock CVE Low openssl-1:3.5.1-4.el9_7 0.00690 false
CVE-2024-41996 Anchore CVE Low openssl-1:3.5.1-4.el9_7 0.00690 false
CVE-2024-41996 Anchore CVE Low openssl-libs-1:3.5.1-4.el9_7 0.00690 false
CVE-2024-13176 Twistlock CVE Low openssl-1:3.5.1-4.el9_7 0.00123 false
CVE-2024-13176 Anchore CVE Low openssl-1:3.5.1-4.el9_7 0.00123 false
CVE-2024-13176 Anchore CVE Low openssl-libs-1:3.5.1-4.el9_7 0.00123 false
CVE-2025-1767 Twistlock CVE Medium k8s.io/kubernetes-v1.34.2 0.00083 false
CVE-2023-50495 Twistlock CVE Low ncurses-6.2-12.20210508.el9 0.00051 false
CVE-2023-50495 Anchore CVE Low ncurses-libs-6.2-12.20210508.el9 0.00051 false
CVE-2023-50495 Anchore CVE Low ncurses-base-6.2-12.20210508.el9 0.00051 false
CVE-2022-27943 Twistlock CVE Low gcc-11.5.0-11.el9 0.00050 false
CVE-2025-32728 Twistlock CVE Medium openssh-8.7p1-46.el9 0.00048 false
CVE-2025-32728 Anchore CVE Medium openssh-8.7p1-46.el9 0.00048 false
CVE-2023-4156 Twistlock CVE Low gawk-5.1.0-6.el9 0.00031 false
CVE-2023-4156 Anchore CVE Low gawk-5.1.0-6.el9 0.00031 false
CVE-2025-9232 Twistlock CVE Low openssl-1:3.5.1-4.el9_7 0.00027 false
CVE-2025-9232 Anchore CVE Low openssl-1:3.5.1-4.el9_7 0.00027 false
CVE-2025-9232 Anchore CVE Low openssl-libs-1:3.5.1-4.el9_7 0.00027 false
CVE-2025-61727 Twistlock CVE Low crypto/x509-1.24.9 0.00021 false
CVE-2025-61727 Twistlock CVE Low crypto/x509-1.25.2 0.00021 false
CVE-2025-61727 Anchore CVE Medium stdlib-go1.25.2 0.00021 false
CVE-2025-61727 Anchore CVE Medium stdlib-go1.24.9 0.00021 false
CVE-2025-61729 Twistlock CVE Low crypto/x509-1.25.2 0.00016 false
CVE-2025-61729 Twistlock CVE Low crypto/x509-1.24.9 0.00016 false
CVE-2025-61729 Anchore CVE High stdlib-go1.25.2 0.00016 false
CVE-2025-61729 Anchore CVE High stdlib-go1.24.9 0.00016 false
CVE-2025-58187 Twistlock CVE Low crypto/x509-1.25.2 0.00015 false
CVE-2025-58187 Anchore CVE High stdlib-go1.25.2 0.00015 false
CVE-2025-14104 Twistlock CVE Medium util-linux-2.37.4-21.el9 0.00014 false
CVE-2025-14104 Anchore CVE Medium libsmartcols-2.37.4-21.el9 0.00014 false
CVE-2025-14104 Anchore CVE Medium libuuid-2.37.4-21.el9 0.00014 false
CVE-2025-14104 Anchore CVE Medium util-linux-core-2.37.4-21.el9 0.00014 false
CVE-2025-14104 Anchore CVE Medium libmount-2.37.4-21.el9 0.00014 false
CVE-2025-14104 Anchore CVE Medium libblkid-2.37.4-21.el9 0.00014 false
CVE-2025-14104 Anchore CVE Medium util-linux-2.37.4-21.el9 0.00014 false
CVE-2025-14104 Anchore CVE Medium libfdisk-2.37.4-21.el9 0.00014 false
CVE-2024-7598 Twistlock CVE Low k8s.io/kubernetes-v1.34.2 0.00014 false
CVE-2025-61985 Twistlock CVE Medium openssh-8.7p1-46.el9 0.00011 false
CVE-2025-61985 Anchore CVE Medium openssh-8.7p1-46.el9 0.00011 false
CVE-2023-51767 Anchore CVE Medium openssh-8.7p1-46.el9 0.00010 false
CVE-2025-61984 Twistlock CVE Medium openssh-8.7p1-46.el9 0.00006 false
CVE-2025-61984 Anchore CVE Medium openssh-8.7p1-46.el9 0.00006 false
CVE-2025-62813 Anchore CVE Low lz4-libs-1.9.3-5.el9 N/A false
e7573262736ef52353cde3bae2617782 Anchore Compliance Low N/A N/A
c2e44319ae5b3b040044d8ae116d1c2f Anchore Compliance Low N/A N/A
addbb93c22e9b0988b8b40392a4538cb Anchore Compliance Low N/A N/A
abb121e9621abdd452f65844954cf1c1 Anchore Compliance Low N/A N/A
CCE-90828-5 OSCAP Compliance Medium N/A N/A
CCE-88413-0 OSCAP Compliance Medium N/A N/A
CCE-87721-7 OSCAP Compliance Medium N/A N/A
CCE-86356-3 OSCAP Compliance Medium N/A N/A
CCE-86100-5 OSCAP Compliance Medium N/A N/A
CCE-86068-4 OSCAP Compliance Medium N/A N/A
CCE-83647-8 OSCAP Compliance Medium N/A N/A
CCE-83641-1 OSCAP Compliance Low N/A N/A
CCE-83635-3 OSCAP Compliance Medium N/A N/A
CCE-83627-0 OSCAP Compliance Medium N/A N/A
CCE-83621-3 OSCAP Compliance Medium N/A N/A
CCE-83615-5 OSCAP Compliance Medium N/A N/A
CCE-83610-6 OSCAP Compliance Medium N/A N/A
CCE-83606-4 OSCAP Compliance Medium N/A N/A
CCE-83589-2 OSCAP Compliance Medium N/A N/A
CCE-83588-4 OSCAP Compliance Medium N/A N/A
CCE-83587-6 OSCAP Compliance Medium N/A N/A
CCE-83583-5 OSCAP Compliance Medium N/A N/A
CCE-83579-3 OSCAP Compliance Medium N/A N/A
CCE-83575-1 OSCAP Compliance Medium N/A N/A
CCE-83570-2 OSCAP Compliance Medium N/A N/A
CCE-83568-6 OSCAP Compliance Medium N/A N/A
CCE-83567-8 OSCAP Compliance Medium N/A N/A
CCE-83566-0 OSCAP Compliance Medium N/A N/A
CCE-83565-2 OSCAP Compliance Medium N/A N/A
CCE-83564-5 OSCAP Compliance Medium N/A N/A
CCE-83563-7 OSCAP Compliance Medium N/A N/A
698044205a9c4a6d48b7937e66a6bf4f Anchore Compliance Low N/A N/A
639f6f1177735759703e928c14714a59 Anchore Compliance Low N/A N/A
463a9a24225c26f7a5bf3f38908e5cb3 Anchore Compliance Low N/A N/A
3e5fad1c039f3ecfd1dcdc94d2f1f9a0 Anchore Compliance Low N/A N/A
34de21e516c0ca50a96e5386f163f8bf Anchore Compliance Low N/A N/A
320a97c6816565eedf3545833df99dd0 Anchore Compliance Low N/A N/A

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=gitlab/gitlab/kubectl&tag=18.6.2&branch=master

Tasks

Contributor:

  • Apply the StatusReview label to this issue for a merge request review and wait for feedback

OR

  • Provide justifications for findings in the VAT (docs)
  • Apply the StatusVerification label to this issue for a VAT justifications review and wait for feedback

Iron Bank:

  • Review findings and justifications

Note: If the above process is rejected for any reason, the Review or Verification label will be removed and the issue will be sent back to To-Do. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Review or Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited by CHORE_TOKEN
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI