UNCLASSIFIED - NO CUI

Skip to content

chore(findings): kasm/workspaces/api

Summary

kasm/workspaces/api has 114 new findings discovered during continuous monitoring.

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=kasm/workspaces/api&tag=1.16.1&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id source severity package impact workaround epss_score kev
CVE-2024-6345 Twistlock CVE High setuptools-65.5.1 Most users have migrated off of the code paths that are affected. The affected code paths are actively deprecated and planned for turn down. Only specialized and legacy workflows are affected. Use recommended installers pip, uv, build, system package managers to install all packages from trusted indexes. If working with untrusted content in private indexes, consider scanning for malicious code in the package index pages. 0.04362 false
CVE-2015-9019 Twistlock CVE Low libxslt-1.1.35-1+deb12u3 0.00984 false
CVE-2015-9019 Anchore CVE Low libxslt1.1-1.1.35-1+deb12u3 0.00984 false
CVE-2024-52804 Twistlock CVE Low tornado-6.4.1 0.00510 false
CVE-2023-43804 Twistlock CVE High urllib3-1.26.5 Usage of the Cookie header is rare with urllib3. This is more common and useful in browsers. Redirections to another origin are also not the common case. 0.00472 false
CVE-2024-35255 Twistlock CVE Medium azure-identity-1.11.0b1 0.00295 false
CVE-2025-8194 Twistlock CVE Low python3.11-3.11.2-6+deb12u6 0.00207 false
CVE-2025-8194 Anchore CVE High libpython3.11-minimal-3.11.2-6+deb12u6 0.00207 false
CVE-2025-8194 Anchore CVE High python3.11-3.11.2-6+deb12u6 0.00207 false
CVE-2025-8194 Anchore CVE High python3.11-minimal-3.11.2-6+deb12u6 0.00207 false
CVE-2025-8194 Anchore CVE High libpython3.11-stdlib-3.11.2-6+deb12u6 0.00207 false
CVE-2024-37891 Twistlock CVE Medium urllib3-1.26.5 Theres no reason to set ProxyAuthorization without using urllib3s proxy support. Using the ProxyAuthorization header with urllib3s ProxyManager. Disabling HTTP redirects using redirectsFalse when sending requests. Not using the ProxyAuthorization header. 0.00142 false
CVE-2025-6069 Twistlock CVE Low python3.11-3.11.2-6+deb12u6 0.00116 false
CVE-2025-6069 Anchore CVE Medium python3.11-minimal-3.11.2-6+deb12u6 0.00116 false
CVE-2025-6069 Anchore CVE Medium libpython3.11-stdlib-3.11.2-6+deb12u6 0.00116 false
CVE-2025-6069 Anchore CVE Medium python3.11-3.11.2-6+deb12u6 0.00116 false
CVE-2025-6069 Anchore CVE Medium libpython3.11-minimal-3.11.2-6+deb12u6 0.00116 false
CVE-2024-47081 Twistlock CVE Medium requests-2.31.0 0.00104 false
CVE-2024-47081 Twistlock CVE Medium requests-2.32.3 0.00104 false
CVE-2025-47287 Twistlock CVE High tornado-6.4.1 0.00103 false
CVE-2025-47273 Twistlock CVE High setuptools-65.5.1 0.00077 false
CVE-2025-59375 Twistlock CVE Low expat-2.5.0-1+deb12u2 0.00075 false
CVE-2025-59375 Anchore CVE High libexpat1-2.5.0-1+deb12u2 0.00075 false
CVE-2023-52323 Twistlock CVE Medium pycryptodome-3.15.0 0.00074 false
CVE-2025-8291 Twistlock CVE Low python3.11-3.11.2-6+deb12u6 0.00073 false
CVE-2025-8291 Anchore CVE Medium libpython3.11-minimal-3.11.2-6+deb12u6 0.00073 false
CVE-2025-8291 Anchore CVE Medium python3.11-minimal-3.11.2-6+deb12u6 0.00073 false
CVE-2025-8291 Anchore CVE Medium python3.11-3.11.2-6+deb12u6 0.00073 false
CVE-2025-8291 Anchore CVE Medium libpython3.11-stdlib-3.11.2-6+deb12u6 0.00073 false
CVE-2025-4565 Twistlock CVE High protobuf-3.20.2 0.00058 false
CVE-2023-45803 Twistlock CVE Medium urllib3-1.26.5 No exploits from real world were reported Disable redirects for services that you arent expecting to respond with redirects with redirectsFalse.Disable automatic redirects with redirectsFalse and handle 303 redirects manually by stripping the HTTP request body. 0.00055 false
CVE-2025-7709 Twistlock CVE Low sqlite3-3.40.1-2+deb12u2 0.00054 false
CVE-2025-7709 Anchore CVE Medium libsqlite3-0-3.40.1-2+deb12u2 0.00054 false
CVE-2025-11731 Twistlock CVE Low libxslt-1.1.35-1+deb12u3 0.00052 false
CVE-2025-11731 Anchore CVE Low libxslt1.1-1.1.35-1+deb12u3 0.00052 false
CVE-2024-35195 Twistlock CVE Medium requests-2.31.0 0.00044 false
CVE-2025-7458 Twistlock CVE Low sqlite3-3.40.1-2+deb12u2 0.00038 false
CVE-2025-7458 Anchore CVE Critical libsqlite3-0-3.40.1-2+deb12u2 0.00038 false
CVE-2025-7425 Twistlock CVE Low libxslt-1.1.35-1+deb12u3 0.00027 false
CVE-2025-7425 Anchore CVE High libxslt1.1-1.1.35-1+deb12u3 0.00027 false
CVE-2025-9714 Twistlock CVE Low libxml2-2.9.14+dfsg-1.3~deb12u4 0.00025 false
CVE-2025-9714 Anchore CVE Medium libxml2-2.9.14+dfsg-1.3~deb12u4 0.00025 false
CVE-2025-6141 Anchore CVE Low libncursesw6-6.4-4 0.00025 false
CVE-2025-47906 Twistlock CVE Low os/exec-1.24.1 0.00024 false
CVE-2025-47906 Anchore CVE Medium stdlib-go1.24.1 0.00024 false
CVE-2025-50181 Twistlock CVE Medium urllib3-1.26.5 Most users dont disable redirects on the PoolManager. Set redirectsFalseredirects0 on the .request call instead of on the toplevel urllib3.PoolManager 0.00023 false
CVE-2025-50181 Twistlock CVE Medium urllib3-2.3.0 Most users dont disable redirects on the PoolManager. Set redirectsFalseredirects0 on the .request call instead of on the toplevel urllib3.PoolManager 0.00023 false
CVE-2025-22872 Twistlock CVE Medium golang.org/x/net/html-v0.37.0 0.00023 false
CVE-2025-22871 Anchore CVE Critical stdlib-go1.24.1 0.00023 false
CVE-2025-29088 Twistlock CVE Low sqlite3-3.40.1-2+deb12u2 0.00020 false
CVE-2025-29088 Anchore CVE Low libsqlite3-0-3.40.1-2+deb12u2 0.00020 false
CVE-2025-47907 Anchore CVE High stdlib-go1.24.1 0.00019 false
CVE-2025-4673 Anchore CVE Medium stdlib-go1.24.1 0.00015 false
CVE-2025-4673 Twistlock CVE Low net/http-1.24.1 0.00015 false
CVE-2025-50182 Twistlock CVE Medium urllib3-2.3.0 Pyodide is extremely rare configuration for users in production. 0.00014 false
CVE-2025-4516 Twistlock CVE Low python3.11-3.11.2-6+deb12u6 0.00013 false
CVE-2025-4516 Anchore CVE Low python3.11-minimal-3.11.2-6+deb12u6 0.00013 false
CVE-2025-4516 Anchore CVE Low libpython3.11-stdlib-3.11.2-6+deb12u6 0.00013 false
CVE-2025-4516 Anchore CVE Low libpython3.11-minimal-3.11.2-6+deb12u6 0.00013 false
CVE-2025-4516 Anchore CVE Low python3.11-3.11.2-6+deb12u6 0.00013 false
CVE-2025-22874 Twistlock CVE Low crypto/x509-1.24.1 0.00013 false
CVE-2025-22874 Anchore CVE High stdlib-go1.24.1 0.00013 false
CVE-2025-10911 Twistlock CVE Low libxslt-1.1.35-1+deb12u3 0.00013 false
CVE-2025-10911 Anchore CVE Medium libxslt1.1-1.1.35-1+deb12u3 0.00013 false
CVE-2025-8732 Anchore CVE Low libxml2-2.9.14+dfsg-1.3~deb12u4 0.00008 false
CVE-2025-4674 Anchore CVE High stdlib-go1.24.1 0.00006 false
CVE-2025-61725 Anchore CVE High stdlib-go1.24.1 N/A false
CVE-2025-61724 Anchore CVE Medium stdlib-go1.24.1 N/A false
CVE-2025-61723 Anchore CVE High stdlib-go1.24.1 N/A false
CVE-2025-6075 Twistlock CVE Low python3.11-3.11.2-6+deb12u6 N/A false
CVE-2025-6075 Anchore CVE Low libpython3.11-stdlib-3.11.2-6+deb12u6 N/A false
CVE-2025-6075 Anchore CVE Low libpython3.11-minimal-3.11.2-6+deb12u6 N/A false
CVE-2025-6075 Anchore CVE Low python3.11-minimal-3.11.2-6+deb12u6 N/A false
CVE-2025-6075 Anchore CVE Low python3.11-3.11.2-6+deb12u6 N/A false
CVE-2025-58189 Twistlock CVE Low crypto/tls-1.24.1 N/A false
CVE-2025-58189 Anchore CVE Medium stdlib-go1.24.1 N/A false
CVE-2025-58188 Twistlock CVE Low crypto/x509-1.24.1 N/A false
CVE-2025-58188 Anchore CVE High stdlib-go1.24.1 N/A false
CVE-2025-58187 Twistlock CVE Low crypto/x509-1.24.1 N/A false
CVE-2025-58187 Anchore CVE High stdlib-go1.24.1 N/A false
CVE-2025-58186 Twistlock CVE Low net/http-1.24.1 N/A false
CVE-2025-58186 Anchore CVE Medium stdlib-go1.24.1 N/A false
CVE-2025-58185 Anchore CVE Medium stdlib-go1.24.1 N/A false
CVE-2025-58183 Anchore CVE Medium stdlib-go1.24.1 N/A false
CVE-2025-52099 Twistlock CVE Low sqlite3-3.40.1-2+deb12u2 N/A false
CVE-2025-52099 Anchore CVE Low libsqlite3-0-3.40.1-2+deb12u2 N/A false
CVE-2025-47912 Twistlock CVE Low net/url-1.24.1 N/A false
CVE-2025-47912 Anchore CVE Medium stdlib-go1.24.1 N/A false
e87e0c6ee13a1c60ba34eabda2d42257 Anchore Compliance Critical N/A N/A
GHSA-vvgc-356p-c3xw Anchore CVE Medium golang.org/x/net-v0.37.0 N/A N/A
GHSA-v845-jxx5-vc9f Anchore CVE High urllib3-1.26.5 N/A N/A
GHSA-pq67-6m6q-mj2v Anchore CVE Medium urllib3-1.26.5 N/A N/A
GHSA-pq67-6m6q-mj2v Anchore CVE Medium urllib3-2.3.0 N/A N/A
GHSA-m5vv-6r4h-3vj9 Anchore CVE Medium azure-identity-1.11.0b1 N/A N/A
GHSA-j66q-qmrc-89rx Anchore CVE Critical jsonpickle-1.3 N/A N/A
GHSA-j225-cvw7-qrx7 Anchore CVE High pycryptodome-3.15.0 N/A N/A
GHSA-h4gh-qq45-vh27 Twistlock CVE Medium cryptography-42.0.4 N/A N/A
GHSA-h4gh-qq45-vh27 Anchore CVE Medium cryptography-42.0.4 N/A N/A
GHSA-g4mx-q9vg-27p4 Anchore CVE Medium urllib3-1.26.5 N/A N/A
GHSA-cx63-2mw6-8hw5 Anchore CVE High setuptools-65.5.1 N/A N/A
GHSA-9wx4-h78v-vm56 Anchore CVE Medium requests-2.31.0 N/A N/A
GHSA-9hjg-9r4m-mvj7 Anchore CVE Medium requests-2.32.3 N/A N/A
GHSA-9hjg-9r4m-mvj7 Anchore CVE Medium requests-2.31.0 N/A N/A
GHSA-8w49-h785-mj3c Anchore CVE High tornado-6.4.1 N/A N/A
GHSA-8qvm-5x2c-j2w7 Anchore CVE High protobuf-3.20.2 N/A N/A
GHSA-7cx3-6m66-7c5m Anchore CVE High tornado-6.4.1 N/A N/A
GHSA-5rjg-fvgr-3xxf Anchore CVE High setuptools-65.5.1 N/A N/A
GHSA-48p4-8xcf-vxj5 Anchore CVE Medium urllib3-2.3.0 N/A N/A
GHSA-34jh-p97f-mpxf Anchore CVE Medium urllib3-1.26.5 N/A N/A
705948208696ae9dfb2660fe8042b67f Anchore Compliance Critical N/A N/A
3e83a7a3d90961ad2ab393cc59e3936f Anchore Compliance Critical N/A N/A
2c7ba1c69af3420cd05aa6b5cbb6a557 Anchore Compliance Critical N/A N/A
120d0dde9cfac06f6957203b3ff7326c Anchore Compliance Critical N/A N/A
076dd7f2c43ba554ddcdef0afe07e5a7 Anchore Compliance Critical N/A N/A

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=kasm/workspaces/api&tag=1.16.1&branch=master

Tasks

Contributor:

  • Apply the StatusReview label to this issue for a merge request review and wait for feedback

OR

  • Provide justifications for findings in the VAT (docs)
  • Apply the StatusVerification label to this issue for a VAT justifications review and wait for feedback

Iron Bank:

  • Review findings and justifications

Note: If the above process is rejected for any reason, the Review or Verification label will be removed and the issue will be sent back to To-Do. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Review or Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited by CHORE_TOKEN
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI