UNCLASSIFIED - NO CUI

chore(findings): gitlab/gitlab-runner/ubi-fips-base (arm64)

Summary

gitlab/gitlab-runner/ubi-fips-base (arm64) has 131 new findings discovered during continuous monitoring.

Layer: redhat/ubi/ubi9-micro:9.6-arm64 is EOL, please update if possible

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=gitlab/gitlab-runner/ubi-fips-base&tag=9.6-arm64&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id source severity package impact workaround epss_score kev
CVE-2024-7264 Twistlock CVE Low curl-7.76.1-34.el9 0.05357 false
CVE-2024-7264 Anchore CVE Low libcurl-minimal-7.76.1-34.el9 0.05357 false
CVE-2024-9681 Twistlock CVE Low curl-7.76.1-34.el9 0.01225 false
CVE-2024-9681 Anchore CVE Low libcurl-minimal-7.76.1-34.el9 0.01225 false
CVE-2024-41996 Twistlock CVE Low openssl-1:3.5.1-4.el9_7 0.00690 false
CVE-2024-41996 Anchore CVE Low openssl-1:3.5.1-4.el9_7 0.00690 false
CVE-2024-11053 Twistlock CVE Low curl-7.76.1-34.el9 0.00337 false
CVE-2024-11053 Anchore CVE Low libcurl-minimal-7.76.1-34.el9 0.00337 false
CVE-2022-41723 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00235 false
CVE-2022-41723 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00235 false
CVE-2017-1000383 Twistlock CVE Low emacs-1:27.2-18.el9 0.00142 false
CVE-2024-13176 Twistlock CVE Low openssl-1:3.5.1-4.el9_7 0.00123 false
CVE-2024-13176 Anchore CVE Low openssl-1:3.5.1-4.el9_7 0.00123 false
CVE-2024-13176 Anchore CVE Low openssl-libs-1:3.5.1-4.el9_7 0.00123 false
CVE-2023-29409 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00112 false
CVE-2023-29409 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00112 false
CVE-2025-9086 Twistlock CVE Medium curl-7.76.1-34.el9 0.00095 false
CVE-2025-9086 Anchore CVE Medium libcurl-minimal-7.76.1-34.el9 0.00095 false
CVE-2023-47038 Twistlock CVE Medium perl-0:5.32.1-481.1.el9_6 0.00090 false
CVE-2024-45336 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00078 false
CVE-2024-45336 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00078 false
CVE-2023-24536 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00059 false
CVE-2023-24536 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00059 false
CVE-2023-50495 Twistlock CVE Low ncurses-6.2-12.20210508.el9 0.00051 false
CVE-2023-50495 Anchore CVE Low ncurses-libs-6.2-12.20210508.el9 0.00051 false
CVE-2023-50495 Anchore CVE Low ncurses-base-6.2-12.20210508.el9 0.00051 false
CVE-2023-50495 Anchore CVE Low ncurses-6.2-12.20210508.el9 0.00051 false
CVE-2022-27943 Twistlock CVE Low gcc-11.5.0-11.el9 0.00050 false
CVE-2025-32728 Twistlock CVE Medium openssh-8.7p1-46.el9 0.00048 false
CVE-2025-32728 Anchore CVE Medium openssh-clients-8.7p1-46.el9 0.00048 false
CVE-2025-32728 Anchore CVE Medium openssh-8.7p1-46.el9 0.00048 false
CVE-2024-45341 Twistlock CVE Low git-lfs-3.6.1-3.el9 0.00048 false
CVE-2024-45341 Anchore CVE Low git-lfs-3.6.1-3.el9 0.00048 false
CVE-2022-41725 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00046 false
CVE-2022-41725 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00046 false
CVE-2025-45582 Anchore CVE Medium tar-2:1.34-7.el9 0.00040 false
CVE-2025-45582 Twistlock CVE Medium tar-2:1.34-7.el9 0.00040 false
CVE-2023-24534 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00040 false
CVE-2023-24534 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00040 false
CVE-2024-8244 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00039 false
CVE-2024-8244 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00039 false
CVE-2023-39804 Anchore CVE Low tar-2:1.34-7.el9 0.00039 false
CVE-2023-39804 Twistlock CVE Low tar-2:1.34-7.el9 0.00039 false
CVE-2025-58185 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00033 false
CVE-2025-58185 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00033 false
CVE-2023-4156 Anchore CVE Low gawk-all-langpacks-5.1.0-6.el9 0.00031 false
CVE-2025-9232 Twistlock CVE Low openssl-1:3.5.1-4.el9_7 0.00027 false
CVE-2025-9232 Anchore CVE Low openssl-libs-1:3.5.1-4.el9_7 0.00027 false
CVE-2025-9232 Anchore CVE Low openssl-1:3.5.1-4.el9_7 0.00027 false
CVE-2025-26625 Twistlock CVE High git-lfs-3.6.1-3.el9 0.00027 false
CVE-2025-26625 Anchore CVE High git-lfs-3.6.1-3.el9 0.00027 false
CVE-2025-61723 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00026 false
CVE-2025-61723 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00026 false
CVE-2025-61724 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00025 false
CVE-2025-61724 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00025 false
CVE-2022-23806 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00024 false
CVE-2025-22870 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00023 false
CVE-2025-22870 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00023 false
CVE-2025-47906 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00020 false
CVE-2025-47906 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00020 false
CVE-2025-58189 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00019 false
CVE-2025-58189 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00019 false
CVE-2025-66382 Twistlock CVE Low expat-2.5.0-5.el9_7.1 0.00017 false
CVE-2025-66382 Anchore CVE Low expat-2.5.0-5.el9_7.1 0.00017 false
CVE-2025-22866 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00017 false
CVE-2025-22866 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00017 false
CVE-2025-10966 Twistlock CVE Medium curl-7.76.1-34.el9 0.00017 false
CVE-2025-10966 Anchore CVE Medium libcurl-minimal-7.76.1-34.el9 0.00017 false
CVE-2022-41724 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00016 false
CVE-2022-41724 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00016 false
CVE-2025-58188 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00014 false
CVE-2025-58188 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00014 false
CVE-2025-14104 Twistlock CVE Medium util-linux-2.37.4-21.el9 0.00014 false
CVE-2025-14104 Anchore CVE Medium libsmartcols-2.37.4-21.el9 0.00014 false
CVE-2025-14104 Anchore CVE Medium libuuid-2.37.4-21.el9 0.00014 false
CVE-2025-14104 Anchore CVE Medium util-linux-core-2.37.4-21.el9 0.00014 false
CVE-2025-14104 Anchore CVE Medium libmount-2.37.4-21.el9 0.00014 false
CVE-2025-14104 Anchore CVE Medium libblkid-2.37.4-21.el9 0.00014 false
CVE-2025-14104 Anchore CVE Medium util-linux-2.37.4-21.el9 0.00014 false
CVE-2025-14104 Anchore CVE Medium libfdisk-2.37.4-21.el9 0.00014 false
CVE-2025-47910 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00012 false
CVE-2025-47910 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00012 false
CVE-2025-61985 Twistlock CVE Medium openssh-8.7p1-46.el9 0.00011 false
CVE-2025-61985 Anchore CVE Medium openssh-8.7p1-46.el9 0.00011 false
CVE-2025-61985 Anchore CVE Medium openssh-clients-8.7p1-46.el9 0.00011 false
CVE-2025-48386 Anchore CVE Medium perl-Git-2.47.3-1.el9_6 0.00011 false
CVE-2025-48386 Anchore CVE Medium git-core-doc-2.47.3-1.el9_6 0.00011 false
CVE-2025-48386 Anchore CVE Medium git-2.47.3-1.el9_6 0.00011 false
CVE-2025-48386 Anchore CVE Medium git-core-2.47.3-1.el9_6 0.00011 false
CVE-2025-48386 Twistlock CVE Medium git-2.47.3-1.el9_6 0.00011 false
CVE-2025-4673 Twistlock CVE Medium git-lfs-3.6.1-3.el9 0.00010 false
CVE-2025-4673 Anchore CVE Medium git-lfs-3.6.1-3.el9 0.00010 false
CVE-2023-51767 Anchore CVE Medium openssh-8.7p1-46.el9 0.00010 false
CVE-2023-51767 Anchore CVE Medium openssh-clients-8.7p1-46.el9 0.00010 false
CVE-2025-40909 Twistlock CVE Medium perl-0:5.32.1-481.1.el9_6 0.00009 false
CVE-2025-61984 Twistlock CVE Medium openssh-8.7p1-46.el9 0.00006 false
CVE-2025-61984 Anchore CVE Medium openssh-8.7p1-46.el9 0.00006 false
CVE-2025-61984 Anchore CVE Medium openssh-clients-8.7p1-46.el9 0.00006 false
CVE-2025-62813 Anchore CVE Low lz4-libs-1.9.3-5.el9 N/A false
e7573262736ef52353cde3bae2617782 Anchore Compliance Low N/A N/A
dd33f9ae335b0724372e0508851608ba Anchore Compliance Critical N/A N/A
cbff271f45d32e78dcc1979dbca9c14d Anchore Compliance Critical N/A N/A
addbb93c22e9b0988b8b40392a4538cb Anchore Compliance Low N/A N/A
abb121e9621abdd452f65844954cf1c1 Anchore Compliance Low N/A N/A
CCE-90085-2 OSCAP Compliance Medium N/A N/A
CCE-88413-0 OSCAP Compliance Medium N/A N/A
CCE-86356-3 OSCAP Compliance Medium N/A N/A
CCE-86068-4 OSCAP Compliance Medium N/A N/A
CCE-83980-3 OSCAP Compliance Medium N/A N/A
CCE-83641-1 OSCAP Compliance Low N/A N/A
CCE-83621-3 OSCAP Compliance Medium N/A N/A
CCE-83615-5 OSCAP Compliance Medium N/A N/A
CCE-83589-2 OSCAP Compliance Medium N/A N/A
CCE-83588-4 OSCAP Compliance Medium N/A N/A
CCE-83587-6 OSCAP Compliance Medium N/A N/A
CCE-83583-5 OSCAP Compliance Medium N/A N/A
CCE-83579-3 OSCAP Compliance Medium N/A N/A
CCE-83575-1 OSCAP Compliance Medium N/A N/A
CCE-83570-2 OSCAP Compliance Medium N/A N/A
CCE-83568-6 OSCAP Compliance Medium N/A N/A
CCE-83567-8 OSCAP Compliance Medium N/A N/A
CCE-83566-0 OSCAP Compliance Medium N/A N/A
CCE-83565-2 OSCAP Compliance Medium N/A N/A
CCE-83564-5 OSCAP Compliance Medium N/A N/A
CCE-83563-7 OSCAP Compliance Medium N/A N/A
698044205a9c4a6d48b7937e66a6bf4f Anchore Compliance Low N/A N/A
3e5fad1c039f3ecfd1dcdc94d2f1f9a0 Anchore Compliance Low N/A N/A
34de21e516c0ca50a96e5386f163f8bf Anchore Compliance Low N/A N/A
320a97c6816565eedf3545833df99dd0 Anchore Compliance Low N/A N/A
1ecec1e40ccbe23f44510a519bf45ad5 Anchore Compliance Critical N/A N/A
06326817a751383683daa4f085406e9e Anchore Compliance Critical N/A N/A

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=gitlab/gitlab-runner/ubi-fips-base&tag=9.6-arm64&branch=master

Tasks

Contributor:

  • Apply the StatusReview label to this issue for a merge request review and wait for feedback

OR

  • Provide justifications for findings in the VAT (docs)
  • Apply the StatusVerification label to this issue for a VAT justifications review and wait for feedback

Iron Bank:

  • Review findings and justifications

Note: If the above process is rejected for any reason, the Review or Verification label will be removed and the issue will be sent back to To-Do. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Review or Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited by CHORE_TOKEN
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI