chore(findings): gladstone/afta/webapp
Summary
gladstone/afta/webapp has 49 new findings discovered during continuous monitoring.
Layer: opensource/nodejs/nodejs22:22.18-ubi9 is EOL, please update if possible
Layer: redhat/ubi/ubi9:9.6 is EOL, please update if possible
More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=gladstone/afta/webapp&tag=0.33.0&branch=master
EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.
KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.
| id | source | severity | package | impact | workaround | epss_score | kev |
|---|---|---|---|---|---|---|---|
| CVE-2025-14087 | Twistlock CVE | Medium | glib2-2.68.4-16.el9_6.2 | 0.00197 | false | ||
| CVE-2025-14087 | Anchore CVE | Medium | glib2-2.68.4-16.el9_6.2 | 0.00197 | false | ||
| CVE-2025-66400 | Twistlock CVE | Medium | mdast-util-to-hast-13.2.0 | 0.00067 | false | ||
| CVE-2025-13836 | Anchore CVE | Medium | python3-libs-3.9.21-2.el9_6.2 | 0.00066 | false | ||
| CVE-2025-13836 | Anchore CVE | Medium | python3-3.9.21-2.el9_6.2 | 0.00066 | false | ||
| CVE-2025-13836 | Twistlock CVE | Medium | python3.9-3.9.21-2.el9_6.2 | 0.00066 | false | ||
| CVE-2025-64756 | Twistlock CVE | Low | glob-10.4.5 | 0.00036 | false | ||
| CVE-2025-14512 | Twistlock CVE | Medium | glib2-2.68.4-16.el9_6.2 | 0.00034 | false | ||
| CVE-2025-14512 | Anchore CVE | Medium | glib2-2.68.4-16.el9_6.2 | 0.00034 | false | ||
| CVE-2025-6020 | Anchore CVE | High | pam-1.5.1-25.el9_6 | 0.00032 | false | ||
| CVE-2025-6965 | Anchore CVE | High | sqlite-libs-3.34.1-8.el9_6 | 0.00022 | false | ||
| CVE-2025-66471 | Twistlock CVE | High | urllib3-1.26.5 | As of 20251212, we have received no reports of active exploitation in the wild. Users would need to stream compressed content from untrusted sources. | 0.00018 | false | |
| CVE-2025-66418 | Twistlock CVE | High | urllib3-1.26.5 | As of 20251212, we have received no reports of active exploitation in the wild. Users would need to make requests to untrusted sources. | Use preloadcontentFalse and ensure that resp.headerscontentencoding contains a safe number of encodings before reading the response content. | 0.00018 | false |
| CVE-2025-13837 | Twistlock CVE | Medium | python3.9-3.9.21-2.el9_6.2 | 0.00018 | false | ||
| CVE-2025-13837 | Anchore CVE | Medium | python3-libs-3.9.21-2.el9_6.2 | 0.00018 | false | ||
| CVE-2025-13837 | Anchore CVE | Medium | python3-3.9.21-2.el9_6.2 | 0.00018 | false | ||
| CVE-2025-66382 | Twistlock CVE | Low | expat-2.5.0-5.el9_6 | 0.00017 | false | ||
| CVE-2025-66382 | Anchore CVE | Low | expat-2.5.0-5.el9_6 | 0.00017 | false | ||
| CVE-2025-6075 | Twistlock CVE | Low | python3.9-3.9.21-2.el9_6.2 | 0.00017 | false | ||
| CVE-2025-6075 | Anchore CVE | Low | python3-3.9.21-2.el9_6.2 | 0.00017 | false | ||
| CVE-2025-6075 | Anchore CVE | Low | python3-libs-3.9.21-2.el9_6.2 | 0.00017 | false | ||
| CVE-2025-10966 | Twistlock CVE | Medium | curl-7.76.1-31.el9_6.1 | 0.00017 | false | ||
| CVE-2025-10966 | Anchore CVE | Medium | curl-minimal-7.76.1-31.el9_6.1 | 0.00017 | false | ||
| CVE-2025-10966 | Anchore CVE | Medium | libcurl-minimal-7.76.1-31.el9_6.1 | 0.00017 | false | ||
| CVE-2025-13601 | Twistlock CVE | Medium | glib2-2.68.4-16.el9_6.2 | 0.00015 | false | ||
| CVE-2025-13601 | Anchore CVE | Medium | glib2-2.68.4-16.el9_6.2 | 0.00015 | false | ||
| CVE-2025-14104 | Twistlock CVE | Medium | util-linux-2.37.4-21.el9 | 0.00014 | false | ||
| CVE-2025-14104 | Anchore CVE | Medium | util-linux-core-2.37.4-21.el9 | 0.00014 | false | ||
| CVE-2025-14104 | Anchore CVE | Medium | libmount-2.37.4-21.el9 | 0.00014 | false | ||
| CVE-2025-14104 | Anchore CVE | Medium | util-linux-2.37.4-21.el9 | 0.00014 | false | ||
| CVE-2025-14104 | Anchore CVE | Medium | libsmartcols-2.37.4-21.el9 | 0.00014 | false | ||
| CVE-2025-14104 | Anchore CVE | Medium | libuuid-2.37.4-21.el9 | 0.00014 | false | ||
| CVE-2025-14104 | Anchore CVE | Medium | libblkid-2.37.4-21.el9 | 0.00014 | false | ||
| CVE-2025-14104 | Anchore CVE | Medium | libfdisk-2.37.4-21.el9 | 0.00014 | false | ||
| eed5f8c41965b0763c2078e745d6436f | Anchore Compliance | Critical | N/A | N/A | |||
| RHSA-2025:22660 | OSCAP Compliance | Low | N/A | N/A | |||
| RHSA-2025:22175 | OSCAP Compliance | Low | N/A | N/A | |||
| RHSA-2025:21255 | OSCAP Compliance | Low | N/A | N/A | |||
| RHSA-2025:20559 | OSCAP Compliance | Low | N/A | N/A | |||
| RHSA-2025:16116 | OSCAP Compliance | Low | N/A | N/A | |||
| RHSA-2025:15099 | OSCAP Compliance | Low | N/A | N/A | |||
| GHSA-mwv6-3258-q52c | Anchore CVE | High | next-14.2.32 | N/A | N/A | ||
| GHSA-mwv6-3258-q52c | Twistlock CVE | High | next-14.2.32 | N/A | N/A | ||
| GHSA-5j98-mcp5-4vw2 | Anchore CVE | High | glob-10.4.5 | N/A | N/A | ||
| GHSA-5j59-xgg2-r9c4 | Twistlock CVE | High | next-14.2.32 | N/A | N/A | ||
| GHSA-5j59-xgg2-r9c4 | Anchore CVE | High | next-14.2.32 | N/A | N/A | ||
| GHSA-4fh9-h7wg-q85m | Anchore CVE | Medium | mdast-util-to-hast-13.2.0 | N/A | N/A | ||
| 67a29f92168af87287e2d9e4b0595e7c | Anchore Compliance | Critical | N/A | N/A | |||
| 0724f0c129b53c407c690c236076c585 | Anchore Compliance | Critical | N/A | N/A |
More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=gladstone/afta/webapp&tag=0.33.0&branch=master
Tasks
Contributor:
-
Apply the StatusReview label to this issue for a merge request reviewand wait for feedback
OR
-
Provide justifications for findings in the VAT (docs) -
Apply the StatusVerification label to this issue for a VAT justifications reviewand wait for feedback
Iron Bank:
-
Review findings and justifications
Note: If the above process is rejected for any reason, the
RevieworVerificationlabel will be removed and the issue will be sent back toTo-Do. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add theRevieworVerificationlabel.
Questions?
Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.
Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.