chore(findings): jfrog/jfrog-xray/router
Summary
jfrog/jfrog-xray/router has 47 new findings discovered during continuous monitoring.
id | source | severity | package |
---|---|---|---|
GHSA-jq35-85cj-fj4p | Anchore CVE | Medium | github.com/docker/docker-v23.0.5+incompatible |
GHSA-2wrh-6pvc-2jm9 | Anchore CVE | Medium | golang.org/x/net-v0.12.0 |
GHSA-qppj-fm5r-hxr3 | Anchore CVE | Medium | golang.org/x/net-v0.12.0 |
GHSA-fvhj-4qfh-q2hm | Anchore CVE | Medium | github.com/traefik/traefik/v2-v2.10.5 |
GHSA-6fwg-jrfw-ff7p | Anchore CVE | High | github.com/traefik/traefik/v2-v2.10.5 |
GHSA-2c7c-3mj9-8fqh | Anchore CVE | Medium | github.com/go-jose/go-jose/v3-v3.0.0 |
CVE-2023-1297 | Anchore CVE | High | github.com/hashicorp/consul-v1.14.5 |
GHSA-4374-p667-p6c8 | Anchore CVE | High | golang.org/x/net-v0.12.0 |
GHSA-45x7-px36-x8w8 | Anchore CVE | Medium | golang.org/x/crypto-v0.15.0 |
GHSA-8g85-whqh-cr2f | Anchore CVE | Medium | github.com/traefik/traefik/v2-v2.10.5 |
GHSA-ppxx-5m9h-6vxf | Anchore CVE | Medium | github.com/quic-go/quic-go-v0.39.0 |
GHSA-c5q2-7r4c-mv6g | Anchore CVE | Medium | github.com/go-jose/go-jose/v3-v3.0.0 |
GHSA-8r3f-844c-mc37 | Anchore CVE | Medium | google.golang.org/protobuf-v1.31.0 |
GHSA-mq39-4gv4-mvpx | Anchore CVE | Medium | github.com/docker/docker-v23.0.5+incompatible |
GHSA-xw73-rw38-6vjc | Anchore CVE | Medium | github.com/docker/docker-v23.0.5+incompatible |
GHSA-c33x-xqrf-c478 | Anchore CVE | High | github.com/quic-go/quic-go-v0.39.0 |
GHSA-4vwx-54mw-vqfw | Anchore CVE | High | github.com/traefik/traefik/v2-v2.10.5 |
GHSA-7f4j-64p6-5h5v | Anchore CVE | Medium | github.com/traefik/traefik/v2-v2.10.5 |
GHSA-4v7x-pqxf-cx7m | Anchore CVE | Medium | golang.org/x/net-v0.18.0 |
GHSA-4v7x-pqxf-cx7m | Anchore CVE | Medium | golang.org/x/net-v0.12.0 |
CVE-2018-1121 | Anchore CVE | Low | procps-ng-3.3.15-14.el8 |
CVE-2023-29409 | Anchore CVE | Medium | stdlib-go1.20.5 |
CVE-2023-29406 | Anchore CVE | Medium | stdlib-go1.20.5 |
CVE-2023-39318 | Anchore CVE | Medium | stdlib-go1.20.5 |
CVE-2023-39326 | Anchore CVE | Medium | stdlib-go1.21.4 X:boringcrypto |
CVE-2023-39323 | Anchore CVE | High | stdlib-go1.20.5 |
CVE-2023-39326 | Anchore CVE | Medium | stdlib-go1.20.5 |
CVE-2023-44487 | Anchore CVE | High | stdlib-go1.20.5 |
CVE-2023-45285 | Anchore CVE | High | stdlib-go1.21.4 X:boringcrypto |
CVE-2023-45285 | Anchore CVE | High | stdlib-go1.20.5 |
CVE-2023-39319 | Anchore CVE | Medium | stdlib-go1.20.5 |
CVE-2023-39325 | Anchore CVE | High | stdlib-go1.20.5 |
CVE-2023-47633 | Twistlock CVE | High | github.com/traefik/traefik/v2-v2.10.5 |
CVE-2023-44487 | Twistlock CVE | High | golang.org/x/net-v0.12.0 |
CVE-2023-47106 | Twistlock CVE | Medium | github.com/traefik/traefik/v2-v2.10.5 |
CVE-2023-3978 | Twistlock CVE | Medium | golang.org/x/net/html-v0.12.0 |
CVE-2023-48795 | Twistlock CVE | Medium | golang.org/x/crypto/ssh-v0.15.0 |
CVE-2023-47124 | Twistlock CVE | Medium | github.com/traefik/traefik/v2-v2.10.5 |
GO-2023-2334 | Twistlock CVE | Medium | github.com/go-jose/go-jose/v3-v3.0.0 |
GHSA-jq35-85cj-fj4p | Twistlock CVE | Medium | github.com/docker/docker-v23.0.5 |
CVE-2024-28180 | Twistlock CVE | Medium | github.com/go-jose/go-jose/v3-v3.0.0 |
CVE-2024-24557 | Twistlock CVE | Medium | github.com/docker/docker-v23.0.5 |
CVE-2024-22189 | Twistlock CVE | High | github.com/quic-go/quic-go-v0.39.0 |
CVE-2023-45288 | Twistlock CVE | Medium | golang.org/x/net/http2-v0.18.0 |
CVE-2024-28869 | Twistlock CVE | High | github.com/traefik/traefik/v2-v2.10.5 |
GHSA-7f4j-64p6-5h5v | Twistlock CVE | Medium | github.com/traefik/traefik/v2-v2.10.5 |
CVE-2024-34397 | Twistlock CVE | Medium | glib2-2.56.4-161.el8 |
VAT: https://vat.dso.mil/vat/image?imageName=jfrog/jfrog-xray/router&tag=7.87.0&branch=master
More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=jfrog/jfrog-xray/router&tag=7.61.1&branch=master
Tasks
Contributor:
-
Provide justifications for findings in the VAT (docs) -
Apply the ~"Hardening::Verification" label to this issue and wait for feedback
Iron Bank:
-
Review findings and justifications
Note: If the above process is rejected for any reason, the
Verification
label will be removed and the issue will be sent back toOpen
. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add theVerification
label.
Questions?
Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding
.
Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.