UNCLASSIFIED - NO CUI

chore(findings): hashicorp/vault

Summary

hashicorp/vault has 159 new findings discovered during continuous monitoring.

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=hashicorp/vault&tag=1.15.3&branch=master

id source severity package
CVE-2021-4217 Anchore CVE Low unzip-6.0-46.el8
CVE-2022-0529 Anchore CVE Low unzip-6.0-46.el8
CVE-2023-39326 Anchore CVE Medium stdlib-go1.21.4
GHSA-7jwh-3vrq-q3m8 Anchore CVE Medium github.com/jackc/pgproto3/v2-v2.3.2
GHSA-jq35-85cj-fj4p Anchore CVE Medium github.com/docker/docker-v24.0.5+incompatible
GHSA-rhh4-rh7c-7r5v Anchore CVE Medium github.com/mholt/archiver/v3-v3.5.1
CVE-2022-0530 Anchore CVE Low unzip-6.0-46.el8
GHSA-mrww-27vc-gghv Anchore CVE Medium github.com/jackc/pgx/v4-v4.18.1
GHSA-45x7-px36-x8w8 Anchore CVE Medium golang.org/x/crypto-v0.15.0
GHSA-xw73-rw38-6vjc Anchore CVE Medium github.com/docker/docker-v24.0.5+incompatible
GHSA-7jwh-3vrq-q3m8 Anchore CVE Medium github.com/jackc/pgx/v4-v4.18.1
GHSA-9763-4f94-gfch Anchore CVE High github.com/cloudflare/circl-v1.3.3
GHSA-m7wr-2xf7-cm9p Anchore CVE Medium github.com/jackc/pgx/v4-v4.18.1
GHSA-mrww-27vc-gghv Anchore CVE Medium github.com/jackc/pgx-v3.3.0+incompatible
GHSA-mhpq-9638-x6pw Anchore CVE Medium github.com/dvsekhvalnov/jose2go-v1.5.0
CVE-2023-45285 Anchore CVE High stdlib-go1.21.4
GHSA-4v7x-pqxf-cx7m Anchore CVE Medium golang.org/x/net-v0.17.0
GHSA-mrww-27vc-gghv Anchore CVE Medium github.com/jackc/pgproto3/v2-v2.3.2
GHSA-8r3f-844c-mc37 Anchore CVE Medium google.golang.org/protobuf-v1.31.0
GHSA-6294-6rgp-fr7r Anchore CVE Medium github.com/dvsekhvalnov/jose2go-v1.5.0
GHSA-c5q2-7r4c-mv6g Anchore CVE Medium github.com/go-jose/go-jose/v3-v3.0.1
GHSA-m7wr-2xf7-cm9p Anchore CVE Medium github.com/jackc/pgx-v3.3.0+incompatible
PRISMA-2022-0168 Twistlock CVE High pip-9.0.3
CVE-2024-33599 Twistlock CVE High glibc-minimal-langpack-2.28-251.el8_10.1
CVE-2024-33599 Twistlock CVE High glibc-gconv-extra-2.28-251.el8_10.1
CVE-2024-33599 Twistlock CVE High glibc-common-2.28-251.el8_10.1
CVE-2024-33599 Twistlock CVE High glibc-2.28-251.el8_10.1
CVE-2024-33599 Twistlock CVE High glibc-langpack-en-2.28-251.el8_10.1
CVE-2023-45285 Twistlock CVE High go-1.21.4
CVE-2024-35325 Twistlock CVE Medium libyaml-0.1.7-5.el8
PRISMA-2023-0056 Twistlock CVE Medium github.com/sirupsen/logrus-v1.9.0
CVE-2023-48795 Twistlock CVE Medium golang.org/x/crypto/ssh-v0.15.0
CVE-2024-33600 Twistlock CVE Medium glibc-langpack-en-2.28-251.el8_10.1
CVE-2024-33600 Twistlock CVE Medium glibc-minimal-langpack-2.28-251.el8_10.1
CVE-2024-33600 Twistlock CVE Medium glibc-2.28-251.el8_10.1
CVE-2024-33600 Twistlock CVE Medium glibc-common-2.28-251.el8_10.1
CVE-2024-33600 Twistlock CVE Medium glibc-gconv-extra-2.28-251.el8_10.1
GHSA-jq35-85cj-fj4p Twistlock CVE Medium github.com/docker/docker-v24.0.5
CVE-2024-28180 Twistlock CVE Medium gopkg.in/square/go-jose.v2-v2.6.0
CVE-2024-28180 Twistlock CVE Medium github.com/go-jose/go-jose/v3-v3.0.1
CVE-2024-27304 Twistlock CVE Medium github.com/jackc/pgproto3/v2-v2.3.2
CVE-2024-0406 Twistlock CVE Medium github.com/mholt/archiver/v3-v3.5.1
CVE-2023-50658 Twistlock CVE Medium github.com/dvsekhvalnov/jose2go-v1.5.0
CVE-2023-45288 Twistlock CVE Medium golang.org/x/net/http2-v0.17.0
CVE-2024-4741 Twistlock CVE Low openssl-libs-1.1.1k-12.el8_9
CVE-2024-33602 Twistlock CVE Low glibc-2.28-251.el8_10.1
CVE-2024-33602 Twistlock CVE Low glibc-gconv-extra-2.28-251.el8_10.1
CVE-2024-33602 Twistlock CVE Low glibc-minimal-langpack-2.28-251.el8_10.1
CVE-2024-33602 Twistlock CVE Low glibc-langpack-en-2.28-251.el8_10.1
CVE-2024-33602 Twistlock CVE Low glibc-common-2.28-251.el8_10.1
CVE-2024-33601 Twistlock CVE Low glibc-minimal-langpack-2.28-251.el8_10.1
CVE-2024-33601 Twistlock CVE Low glibc-gconv-extra-2.28-251.el8_10.1
CVE-2024-33601 Twistlock CVE Low glibc-langpack-en-2.28-251.el8_10.1
CVE-2024-33601 Twistlock CVE Low glibc-common-2.28-251.el8_10.1
CVE-2024-33601 Twistlock CVE Low glibc-2.28-251.el8_10.1
CVE-2024-4032 Twistlock CVE Low python3-libs-3.6.8-59.el8
CVE-2024-4032 Twistlock CVE Low platform-python-3.6.8-59.el8
CVE-2024-7531 Anchore CVE Low nss-sysinit-3.90.0-7.el8_10
CVE-2024-7531 Anchore CVE Low nss-util-3.90.0-7.el8_10
CVE-2023-45288 Anchore CVE Low stdlib-go1.21.4
CVE-2024-43168 Anchore CVE Low unbound-libs-1.16.2-5.el8_9.6
CVE-2024-33599 Anchore CVE High glibc-gconv-extra-2.28-251.el8_10.1
CVE-2024-6602 Anchore CVE Medium nss-sysinit-3.90.0-7.el8_10
CVE-2024-6602 Anchore CVE Medium nss-util-3.90.0-7.el8_10
CVE-2024-33599 Anchore CVE High glibc-langpack-en-2.28-251.el8_10.1
CVE-2024-33600 Anchore CVE Medium glibc-minimal-langpack-2.28-251.el8_10.1
CVE-2024-4741 Anchore CVE Low openssl-libs-1:1.1.1k-12.el8_9
CVE-2024-7531 Anchore CVE Low nss-3.90.0-7.el8_10
CVE-2024-43167 Anchore CVE Low python3-unbound-1.16.2-5.el8_9.6
CVE-2024-6602 Anchore CVE Medium nss-3.90.0-7.el8_10
CVE-2024-4032 Anchore CVE Low python3-libs-3.6.8-59.el8
CVE-2024-24790 Anchore CVE Critical stdlib-go1.21.4
CVE-2024-24787 Anchore CVE Medium stdlib-go1.21.4
CVE-2024-34397 Anchore CVE Medium glib2-2.56.4-162.el8
CVE-2024-33602 Anchore CVE Low glibc-common-2.28-251.el8_10.1
CVE-2023-45918 Anchore CVE Low ncurses-libs-6.1-10.20180224.el8
CVE-2024-33601 Anchore CVE Low glibc-langpack-en-2.28-251.el8_10.1
CVE-2024-33600 Anchore CVE Medium glibc-common-2.28-251.el8_10.1
CVE-2024-24785 Anchore CVE Low stdlib-go1.21.4
CVE-2024-24791 Anchore CVE High stdlib-go1.21.4
GHSA-v6v8-xj6m-xwqh Anchore CVE Medium github.com/hashicorp/go-retryablehttp-v0.7.4
CVE-2024-5535 Anchore CVE Low openssl-libs-1:1.1.1k-12.el8_9
CVE-2024-37371 Anchore CVE Medium krb5-libs-1.18.2-27.el8_10
CVE-2024-33601 Anchore CVE Low glibc-common-2.28-251.el8_10.1
CVE-2024-6345 Anchore CVE High python3-setuptools-wheel-39.2.0-7.el8
CVE-2024-34459 Anchore CVE Low libxml2-2.9.7-18.el8_9
CVE-2024-4032 Anchore CVE Low platform-python-3.6.8-59.el8
CVE-2024-24783 Anchore CVE Low stdlib-go1.21.4
CVE-2024-43168 Anchore CVE Low python3-unbound-1.16.2-5.el8_9.6
CVE-2023-45289 Anchore CVE Low stdlib-go1.21.4
CVE-2024-33601 Anchore CVE Low glibc-minimal-langpack-2.28-251.el8_10.1
CVE-2024-24784 Anchore CVE High stdlib-go1.21.4
CVE-2024-37891 Anchore CVE Medium python3-urllib3-1.24.2-7.el8
CVE-2024-33600 Anchore CVE Medium glibc-langpack-en-2.28-251.el8_10.1
CVE-2024-33599 Anchore CVE High glibc-minimal-langpack-2.28-251.el8_10.1
CVE-2024-33601 Anchore CVE Low glibc-2.28-251.el8_10.1
CVE-2024-33602 Anchore CVE Low glibc-2.28-251.el8_10.1
CVE-2024-6923 Anchore CVE Medium python3-libs-3.6.8-59.el8
CVE-2024-24789 Anchore CVE Medium stdlib-go1.21.4
GHSA-v23v-6jw2-98fq Anchore CVE Critical github.com/docker/docker-v24.0.5+incompatible
CVE-2024-33600 Anchore CVE Medium glibc-2.28-251.el8_10.1
CVE-2024-33600 Anchore CVE Medium glibc-gconv-extra-2.28-251.el8_10.1
CVE-2024-33599 Anchore CVE High glibc-common-2.28-251.el8_10.1
CVE-2024-33601 Anchore CVE Low glibc-gconv-extra-2.28-251.el8_10.1
GHSA-m5vv-6r4h-3vj9 Anchore CVE Medium github.com/Azure/azure-sdk-for-go/sdk/azidentity-v1.3.1
CVE-2024-33602 Anchore CVE Low glibc-gconv-extra-2.28-251.el8_10.1
GHSA-c5q2-7r4c-mv6g Anchore CVE Medium gopkg.in/square/go-jose.v2-v2.6.0
CVE-2024-37370 Anchore CVE Medium krb5-libs-1.18.2-27.el8_10
CVE-2024-7531 Anchore CVE Low nss-softokn-3.90.0-7.el8_10
CVE-2024-6345 Anchore CVE High platform-python-setuptools-39.2.0-7.el8
CVE-2024-6602 Anchore CVE Medium nss-softokn-3.90.0-7.el8_10
CVE-2024-6602 Anchore CVE Medium nss-softokn-freebl-3.90.0-7.el8_10
CVE-2024-6923 Anchore CVE Medium platform-python-3.6.8-59.el8
CVE-2023-45918 Anchore CVE Low ncurses-base-6.1-10.20180224.el8
CVE-2024-33599 Anchore CVE High glibc-2.28-251.el8_10.1
CVE-2024-43167 Anchore CVE Low unbound-libs-1.16.2-5.el8_9.6
CVE-2024-33602 Anchore CVE Low glibc-minimal-langpack-2.28-251.el8_10.1
CVE-2024-33602 Anchore CVE Low glibc-langpack-en-2.28-251.el8_10.1
CVE-2024-7531 Anchore CVE Low nss-softokn-freebl-3.90.0-7.el8_10
CVE-2023-45290 Anchore CVE Low stdlib-go1.21.4
RHSA-2024:4264 OSCAP Compliance Low
RHSA-2024:4260 OSCAP Compliance Low
RHSA-2024:4252 OSCAP Compliance Low
RHSA-2024:3626 OSCAP Compliance Low
RHSA-2024:3347 OSCAP Compliance Low
RHSA-2024:3344 OSCAP Compliance Low
CVE-2024-37371 Twistlock CVE Medium krb5-libs-1.18.2-27.el8_10
CVE-2024-37370 Twistlock CVE Medium krb5-libs-1.18.2-27.el8_10
CVE-2024-5535 Twistlock CVE Low openssl-libs-1.1.1k-12.el8_9
CVE-2024-37891 Twistlock CVE Medium python3-urllib3-1.24.2-7.el8
CVE-2024-3651 Twistlock CVE Medium python3-idna-2.5-5.el8
CVE-2024-6345 Twistlock CVE High python3-setuptools-wheel-39.2.0-7.el8
CVE-2024-6345 Twistlock CVE High platform-python-setuptools-39.2.0-7.el8
CVE-2024-6602 Twistlock CVE Medium nss-sysinit-3.90.0-7.el8_10
CVE-2024-6602 Twistlock CVE Medium nss-util-3.90.0-7.el8_10
CVE-2024-6602 Twistlock CVE Medium nss-3.90.0-7.el8_10
CVE-2024-6602 Twistlock CVE Medium nss-softokn-freebl-3.90.0-7.el8_10
CVE-2024-6602 Twistlock CVE Medium nss-softokn-3.90.0-7.el8_10
CVE-2024-6104 Twistlock CVE Medium github.com/hashicorp/go-retryablehttp-v0.7.4
CVE-2024-35255 Twistlock CVE Medium github.com/Azure/azure-sdk-for-go/sdk/azidentity-v1.3.1
CVE-2024-24787 Twistlock CVE Low go-1.21.4
CVE-2023-45918 Twistlock CVE Low ncurses-libs-6.1-10.20180224.el8
CVE-2023-45918 Twistlock CVE Low ncurses-base-6.1-10.20180224.el8
CVE-2024-6923 Twistlock CVE Medium python3-libs-3.6.8-59.el8
CVE-2024-6923 Twistlock CVE Medium platform-python-3.6.8-59.el8
CVE-2024-7264 Twistlock CVE Low curl-7.61.1-34.el8
CVE-2024-7264 Twistlock CVE Low libcurl-7.61.1-34.el8
CVE-2024-0397 Twistlock CVE Low platform-python-3.6.8-59.el8
CVE-2024-0397 Twistlock CVE Low python3-libs-3.6.8-59.el8
CVE-2024-43168 Twistlock CVE Low python3-unbound-1.16.2-5.el8_9.6
CVE-2024-43168 Twistlock CVE Low unbound-libs-1.16.2-5.el8_9.6
CVE-2024-43167 Twistlock CVE Low unbound-libs-1.16.2-5.el8_9.6
CVE-2024-43167 Twistlock CVE Low python3-unbound-1.16.2-5.el8_9.6
CVE-2024-7531 Twistlock CVE Low nss-softokn-freebl-3.90.0-7.el8_10
CVE-2024-7531 Twistlock CVE Low nss-sysinit-3.90.0-7.el8_10
CVE-2024-7531 Twistlock CVE Low nss-util-3.90.0-7.el8_10
CVE-2024-7531 Twistlock CVE Low nss-3.90.0-7.el8_10
CVE-2024-7531 Twistlock CVE Low nss-softokn-3.90.0-7.el8_10
CVE-2024-35195 Twistlock CVE Medium python3-requests-2.20.0-3.el8_8

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=hashicorp/vault&tag=1.15.3&branch=master

Tasks

Contributor:

  • Provide justifications for findings in the VAT (docs)
  • Apply the StatusVerification label to this issue and wait for feedback

Iron Bank:

  • Review findings and justifications

Note: If the above process is rejected for any reason, the Verification label will be removed and the issue will be sent back to Open. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited by Ghost User
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI