Running with gitlab-runner 13.8.0 (775dd39d)  on dsop-shared-gitlab-runner-f887cbcbd-srgz6 E82_g8RG section_start:1630435911:resolve_secrets Resolving secrets section_end:1630435911:resolve_secrets section_start:1630435911:prepare_executor Preparing the "kubernetes" executor "ServiceAccount" overwritten with "vat" Using Kubernetes namespace: gitlab-runner-ironbank-dsop WARNING: Pulling GitLab Runner helper image from Docker Hub. Helper image is migrating to registry.gitlab.com, for more information see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#migrating-helper-image-to-registrygitlabcom Using Kubernetes executor with image registry1.dso.mil/ironbank/ironbank-pipelines/pipeline-runner:0.3 ... section_end:1630435911:prepare_executor section_start:1630435911:prepare_script Preparing environment Waiting for pod gitlab-runner-ironbank-dsop/runner-e82g8rg-project-2237-concurrent-0g76xh to be running, status is Pending Waiting for pod gitlab-runner-ironbank-dsop/runner-e82g8rg-project-2237-concurrent-0g76xh to be running, status is Pending ContainersNotReady: "containers with unready status: [build helper istio-proxy]" ContainersNotReady: "containers with unready status: [build helper istio-proxy]" Running on runner-e82g8rg-project-2237-concurrent-0g76xh via dsop-shared-gitlab-runner-f887cbcbd-srgz6... section_end:1630435917:prepare_script section_start:1630435917:get_sources Getting source from Git repository $ until [ $(curl --fail --silent --output /dev/stderr --write-out "%{http_code}" localhost:15020/healthz/ready) -eq 200 ]; do echo Waiting for Sidecar; sleep 3 ; done ; echo Sidecar available; Sidecar available Fetching changes with git depth set to 50... Initialized empty Git repository in /builds/dsop/kubeflow/katib/katib-frontend-170bd2c7c8f1/.git/ Created fresh repository. Checking out 5146bfc0 as development... Skipping object checkout, Git LFS is not installed. Skipping Git submodules setup section_end:1630435918:get_sources section_start:1630435918:download_artifacts Downloading artifacts Downloading artifacts for anchore-scan (6112174)... Downloading artifacts from coordinator... ok  id=6112174 responseStatus=200 OK token=QZ6ixEoU WARNING: ci-artifacts/scan-results/anchore/: lchown ci-artifacts/scan-results/anchore/: operation not permitted (suppressing repeats) Downloading artifacts for build (6112172)... Downloading artifacts from coordinator... ok  id=6112172 responseStatus=200 OK token=C64UvfYx Downloading artifacts for hardening-manifest (6112168)... WARNING: ci-artifacts/build/: lchown ci-artifacts/build/: operation not permitted (suppressing repeats) Downloading artifacts from coordinator... ok  id=6112168 responseStatus=200 OK token=94enzBfG WARNING: ci-artifacts/preflight/: lchown ci-artifacts/preflight/: operation not permitted (suppressing repeats) Downloading artifacts for load-scripts (6112165)... Downloading artifacts from coordinator... ok  id=6112165 responseStatus=200 OK token=NsQZ_qiA WARNING: ci-artifacts/[MASKED]/: lchown ci-artifacts/[MASKED]/: operation not permitted (suppressing repeats) Downloading artifacts for openscap-compliance (6112175)... Downloading artifacts from coordinator... ok  id=6112175 responseStatus=200 OK token=v-dzsz6r WARNING: ci-artifacts/scan-results/openscap/: lchown ci-artifacts/scan-results/openscap/: operation not permitted (suppressing repeats) Downloading artifacts for twistlock-scan (6112176)... Downloading artifacts from coordinator... ok  id=6112176 responseStatus=200 OK token=EjjqRqhh WARNING: ci-artifacts/scan-results/twistlock/: lchown ci-artifacts/scan-results/twistlock/: operation not permitted (suppressing repeats) Downloading artifacts for wl-compare-lint (6112169)... Downloading artifacts from coordinator... ok  id=6112169 responseStatus=200 OK token=bsxAZcRB WARNING: ci-artifacts/lint/: lchown ci-artifacts/lint/: operation not permitted (suppressing repeats) section_end:1630435918:download_artifacts section_start:1630435918:step_script Executing "step_script" stage of the job script $ "${PIPELINE_REPO_DIR}/stages/vat/vat-run-api.sh" INFO: Log level set to info INFO: Gathering list of all justifications... INFO: Vulnerability description does not exist INFO: Vulnerability description does not exist INFO: Vulnerability description does not exist INFO: Vulnerability description does not exist INFO: Vulnerability description does not exist INFO: Vulnerability description does not exist INFO: Vulnerability description does not exist INFO: Vulnerability description does not exist INFO: Vulnerability description does not exist INFO: Vulnerability description does not exist INFO: Vulnerability description does not exist INFO: API Response: {"imageName":"kubeflow/katib/katib-frontend-170bd2c7c8f1","imageTag":"v0.2","vatUrl":"https://vat.dso.mil/vat/container/6335","accreditation":"Conditionally Approved","containerState":"Under Review","earliestExpiration":"2022-04-27T04:00:00.000Z","findings":[{"identifier":"CCE-80935-0","source":"oscap_comp","description":"Configure System Cryptography Policy","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. FIPS enablement requires the host node to have FIPS enabled at the kernel level which is inherited into the container.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-80938-4","source":"oscap_comp","description":"Configure OpenSSL library to use System Crypto Policy","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Manual check. /etc/pki/tls/openssl.cnf contains: [ crypto_policy ] .include /etc/crypto-policies/back-ends/openssl.config .include /etc/crypto-policies/back-ends/opensslcnf.config","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82168-6","source":"oscap_comp","description":"Log USBGuard daemon audit events using Linux Audit","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. USB device notifications do not apply to containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82214-8","source":"oscap_comp","description":"Install sudo Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2021-01-27T17:54:16.000Z","justification":"Sudo is not installed by default since most images are unprivileged and do not require any super user permissions. Removing the package removes the risk of any privilege escalation exploits within sudo.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-01-27T17:57:21.000Z","comment":"This finding is approved.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82220-5","source":"oscap_comp","description":"Install openscap-scanner Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository. SCAP scanning occurs during the build pipeline.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82267-6","source":"oscap_comp","description":"Configure dnf-automatic to Install Only Security Updates","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This performs automatic updates to installed packages which does not apply to immutable containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82360-9","source":"oscap_comp","description":"Enable dnf-automatic Timer","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This performs automatic updates to installed packages which does not apply to immutable containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82368-2","source":"oscap_comp","description":"Authorize Human Interface Devices and USB hubs in USBGuard daemon","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. USB device notifications do not apply to containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82395-5","source":"oscap_comp","description":"Ensure gnutls-utils is installed","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-13T21:13:21.000Z","justification":"Package not available in UBI repos. This package only contains command line TLS client and server and certificate manipulation tools.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2020-11-13T21:16:30.000Z","comment":"This finding is approved.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82472-2","source":"oscap_comp","description":"Set Existing Passwords Minimum Age","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Manual check. No users other than root exist.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82473-0","source":"oscap_comp","description":"Set Existing Passwords Maximum Age","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Manual check. No users other than root exist.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82474-8","source":"oscap_comp","description":"Assign Expiration Date to Temporary Accounts","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. No temporary accounts exist.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82494-6","source":"oscap_comp","description":"Configure dnf-automatic to Install Available Updates Automatically","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This performs automatic updates to installed packages which does not apply to immutable containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82880-6","source":"oscap_comp","description":"Configure session renegotiation for SSH client","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-02-03T18:36:51.000Z","justification":"Not applicable. openssh-clients is not installed in the base image by default.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-02-03T18:37:31.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-02-03T20:13:01.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82949-9","source":"oscap_comp","description":"Install scap-security-guide Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository. SCAP scanning occurs during the build pipeline.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82959-8","source":"oscap_comp","description":"Install usbguard Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository. USB device notifications do not apply to containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82979-6","source":"oscap_comp","description":"Install libcap-ng-utils Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82985-3","source":"oscap_comp","description":"Install dnf-automatic Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository. Package performs automatic updates to installed packages which does not apply to immutable containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-83401-0","source":"oscap_comp","description":"Enforce pam_faillock for Local Accounts Only","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-02-03T18:36:51.000Z","justification":"False positive. local_users_only is set in /etc/security/faillock.conf ","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-02-03T18:37:31.000Z","comment":"This finding was reviewed.","designator":"False Positive","falsePositive":true,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-02-03T20:13:02.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2016-10518","source":"twistlock_cve","description":"A vulnerability was found in the ping functionality of the ws module before 1.0.0 which allowed clients to allocate memory by sending a ping frame. The ping functionality by default responds with a pong frame and the previously given payload of the ping frame. This is exactly what you expect, but internally ws always transforms all data that we need to send to a Buffer instance and that is where the vulnerability existed. ws didn\\'t do any checks for the type of data it was sending. With buffers in node when you allocate it when a number instead of a string it will allocate the amount of bytes.","package":"ws-0.4.32","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 5/31/2018. upstream fixed on 1/4/2016. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:06.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2016-10539","source":"twistlock_cve","description":"negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for \\\"Accept-Language\\\", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string.","package":"negotiator-0.5.3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 5/31/2018. fix in 0.6.1. upstream committed five years ago . katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:06.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2016-10542","source":"twistlock_cve","description":"ws is a \\\"simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455\\\". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.","package":"ws-0.4.32","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Patched upstream in version 1.1.1 on 6/24/16. Vendor has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:06.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2017-1000048","source":"twistlock_cve","description":"the web framework using ljharb\\'s qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.","package":"qs-3.0.0","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Fixed on Mar 5, 2017 in 6.4.0; Mar 6, 2017 in 6.0.4, 6.1.2, 6.2.3, and 6.3.2. Vendor hasn't updated.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:06.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2017-1000048","source":"twistlock_cve","description":"the web framework using ljharb\\'s qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.","package":"qs-4.0.0","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Fixed on Mar 5, 2017 in 6.4.0; Mar 6, 2017 in 6.0.4, 6.1.2, 6.2.3, and 6.3.2. Vendor hasn't updated.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:06.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2017-1000048","source":"twistlock_cve","description":"the web framework using ljharb\\'s qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.","package":"qs-6.2.0","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Fixed on Mar 5, 2017 in 6.4.0; Mar 6, 2017 in 6.0.4, 6.1.2, 6.2.3, and 6.3.2. Vendor hasn't updated.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:06.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2017-16118","source":"twistlock_cve","description":"The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it\\'s passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.","package":"forwarded-0.1.0","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 6/6/2018. upstream lpatched in v 0.1.2 on 9/14/17 . Vendor has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:06.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2017-16119","source":"twistlock_cve","description":"Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.","package":"fresh-0.3.0","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 6/6/2018. fix in 0.5.2. upstream committed four years ago. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:06.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2017-16137","source":"twistlock_cve","description":"The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.","package":"debug-2.2.0","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 2/15/2021. fix in 4.17.21. upstream committed on 2/20/2021. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:06.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2017-16138","source":"twistlock_cve","description":"The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.","package":"mime-1.3.4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 6/6/2018. fix in 2.0.3. upstream committed four years ago. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:06.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2017-18589","source":"anchore_cve","description":"An issue was discovered in the cookie crate before 0.7.6 for Rust. Large integers in the Max-Age of a cookie cause a panic.","package":"cookie-0.3.1","packagePath":"/modeldb/frontend/node_modules/cookie/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"False positive. This affects a rust crate.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"False Positive","falsePositive":true,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2019-20838","source":"anchore_cve","description":"libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than one fixed quantifier, a related issue to CVE-2019-20454.","package":"pcre-8.42-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched on 9/21/2018. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:02.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2019-20838","source":"twistlock_cve","description":"libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\\\X or \\\\R has more than one fixed quantifier, a related issue to CVE-2019-20454.","package":"pcre-8.42-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:28.000Z","justification":"Upstream patched on 9/21/2018. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2019-5413","source":"twistlock_cve","description":"An attacker can use the format parameter to inject arbitrary commands in the npm package morgan < 1.9.1.","package":"morgan-1.7.0","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 3/21/2019. fix in 1.9.1 on 9/10/18. Vendor has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:06.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-14155","source":"anchore_cve","description":"libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.","package":"pcre-8.42-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 8.44 on 2/10/2020. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:02.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2020-14155","source":"twistlock_cve","description":"libpcre in PCRE before 8.44 allows an integer overflow via a large number after a ","package":"pcre-8.42-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 8.44 on 2/10/2020. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2020-16135","source":"anchore_cve","description":"libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.","package":"libssh-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Upstream has a patch but not released yet in June 2020. RH has no patch.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-16135","source":"twistlock_cve","description":"libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.","package":"libssh-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T15:13:07.000Z","justification":"Upstream has a patch but not released yet in June 2020. RH has no patch.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T15:13:50.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T15:25:13.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2020-16135","source":"anchore_cve","description":"libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.","package":"libssh-config-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Upstream has a patch but not released yet in June 2020. RH has no patch.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-24370","source":"anchore_cve","description":"ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).","package":"lua-libs-5.3.4-11.el8","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Published 2020-07-23. Fix available upstream in lua master branch 2020-07-27. Red Hat has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-28500","source":"twistlock_cve","description":"Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.","package":"lodash-4.17.20","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 2/15/2021. fix in 4.17.21. upstream committed on 2/20/2021. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-28500","source":"anchore_cve","description":"none","package":"lodash-4.17.20","packagePath":"/modeldb/frontend/node_modules/node_modules/lodash/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 2/15/2021. Patched upstream in v4.17.21 on 2/20/2021. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-28500","source":"anchore_cve","description":"none","package":"lodash-4.17.20","packagePath":"/opt/package/node_modules/lodash/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 2/15/2021. Patched upstream in v4.17.21 on 2/20/2021. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-7774","source":"twistlock_cve","description":"This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po6ix: const y18n = require(\\'y18n\\')(); y18n.setLocale(\\'__proto__\\'); y18n.updateLocale({polluted: true}); console.log(polluted); // true","package":"y18n-3.2.1","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 11/17/2020. fix in 5.0.5. upstream committed 10/25/2020 . katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:57.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-7774","source":"anchore_cve","description":"none","package":"y18n-3.2.1","packagePath":"/modeldb/frontend/node_modules/y18n/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Patched upstream in version 3.2.2 on 1/4/2021. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-20231","source":"anchore_cve","description":"A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.","package":"gnutls-3.6.14-8.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 3.7.1 on 1/29/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20231","source":"twistlock_cve","description":"A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.","package":"gnutls-3.6.14-8.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 3.7.1 on 1/29/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20232","source":"anchore_cve","description":"A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.","package":"gnutls-3.6.14-8.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 3.7.1 on 1/29/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20232","source":"twistlock_cve","description":"A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.","package":"gnutls-3.6.14-8.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 3.7.1 on 1/29/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"anchore_cve","description":"A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"anchore_cve","description":"A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"twistlock_cve","description":"A flaw was found in RPM\\'s hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"anchore_cve","description":"A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"anchore_cve","description":"A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22876","source":"anchore_cve","description":"curl 7.1.1 to and including 7.75.0 is vulnerable to an \"Exposure of Private Personal Information to an Unauthorized Actor\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream patched in version 7.76.0 on 3/28/2021. Redhat has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22876","source":"twistlock_cve","description":"curl 7.1.1 to and including 7.75.0 is vulnerable to an \\\"Exposure of Private Personal Information to an Unauthorized Actor\\\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream patched in version 7.76.0 on 3/28/2021. Redhat has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:16.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22876","source":"anchore_cve","description":"curl 7.1.1 to and including 7.75.0 is vulnerable to an \"Exposure of Private Personal Information to an Unauthorized Actor\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream patched in version 7.76.0 on 3/28/2021. Redhat has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22898","source":"anchore_cve","description":"curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-11T13:30:57.000Z","justification":"True positive. Patched upstream in version 7.77.0 on 5/26/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-11T13:31:32.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T13:32:17.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22898","source":"twistlock_cve","description":"curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-22T21:11:58.000Z","justification":"True positive. Patched upstream in version 7.77.0 on 5/26/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-22T21:14:01.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-22T21:14:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22898","source":"anchore_cve","description":"curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-11T13:30:57.000Z","justification":"True positive. Patched upstream in version 7.77.0 on 5/26/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-11T13:31:32.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T13:32:17.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22922","source":"anchore_cve","description":"When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22922","source":"twistlock_cve","description":"When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-06T03:48:05.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-06T13:28:55.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-06T13:31:49.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22922","source":"anchore_cve","description":"When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22923","source":"anchore_cve","description":"When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22923","source":"twistlock_cve","description":"When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user\\'s expectations and intentions and without telling the user it happened.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-06T03:48:05.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-06T13:28:55.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-06T13:31:49.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22923","source":"anchore_cve","description":"When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22924","source":"anchore_cve","description":"libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22924","source":"twistlock_cve","description":"libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take \\'issuercert\\' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn\\'t include the \\'issuer cert\\' which a transfer can setto qualify how to verify the server certificate.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-06T03:48:05.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-06T13:28:55.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-06T13:31:49.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22924","source":"anchore_cve","description":"libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22925","source":"anchore_cve","description":"curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22925","source":"twistlock_cve","description":"curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-16T21:12:09.000Z","justification":"Patched upstream in version 7.77.0 on 5/26/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-16T21:12:09.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-16T21:16:24.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22925","source":"anchore_cve","description":"curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-23337","source":"twistlock_cve","description":"Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","package":"lodash-4.17.20","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 2/15/2021. fix in 4.17.21. upstream committed on 2/20/2021. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-23337","source":"anchore_cve","description":"none","package":"lodash-4.17.20","packagePath":"/modeldb/frontend/node_modules/node_modules/lodash/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 2/15/2021. Patched upstream in v4.17.21 on 2/20/2021. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:57.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-23337","source":"anchore_cve","description":"none","package":"lodash-4.17.20","packagePath":"/opt/package/node_modules/lodash/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 2/15/2021. Patched upstream in v4.17.21 on 2/20/2021. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:57.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-23343","source":"twistlock_cve","description":"All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.","package":"path-parse-1.0.6","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-26T22:43:05.000Z","justification":"Patched upstream in version 1.0.7 on 5/25/2021. Node has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-26T22:43:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-27T01:13:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-23343","source":"anchore_cve","description":"none","package":"path-parse-1.0.6","packagePath":"/usr/local/lib/node_modules/npm/node_modules/path-parse/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-12T19:35:04.000Z","justification":"All versions affected and there is no patch available.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-12T19:35:26.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-12T19:37:32.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-23362","source":"twistlock_cve","description":"The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.","package":"hosted-git-info-2.4.2","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 3/23/2021. fix in 3.0.8. upstream committed on 1/28/2021. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-23840","source":"anchore_cve","description":"Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).","package":"openssl-libs-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-03-31T17:41:15.000Z","justification":"Vendor patched in version 1.1.1j on 2/16/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-03-31T17:41:44.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-03-31T17:46:26.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-23841","source":"anchore_cve","description":"The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).","package":"openssl-libs-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-03-31T17:41:15.000Z","justification":"Vendor patched in version 1.1.1j on 2/16/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-03-31T17:41:44.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-03-31T17:46:26.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-27645","source":"anchore_cve","description":"The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-27645","source":"anchore_cve","description":"The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.","package":"glibc-common-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-27645","source":"anchore_cve","description":"The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.","package":"glibc-minimal-langpack-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-28153","source":"anchore_cve","description":"An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)","package":"glib2-2.56.4-10.el8_4.1","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-11T14:31:17.000Z","justification":"Upstream patched in version 2.67.6 on 3/10/21. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-11T14:31:17.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-11T14:31:51.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-28153","source":"twistlock_cve","description":"An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)","package":"glib2-2.56.4-10.el8_4.1","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-11T14:31:17.000Z","justification":"Upstream patched in version 2.67.6 on 3/10/21. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-11T14:31:17.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-11T14:31:51.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3200","source":"anchore_cve","description":"Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service","package":"libsolv-0.7.16-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-02T00:31:56.000Z","justification":"True Positive. Published 2020-12-20. No patch available in UBI.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-02T13:10:21.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-02T13:18:42.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3200","source":"twistlock_cve","description":"Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read","package":"libsolv-0.7.16-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-02T13:34:08.000Z","justification":"True Positive. Published 2020-12-20. No patch available in UBI.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-02T13:34:26.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-02T13:35:21.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-32640","source":"twistlock_cve","description":"ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.","package":"ws-0.4.32","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-27T18:51:43.000Z","justification":"Reported on 05/25/2021. Patched upstream in versions 5.2.3, 6.2.2, 7.4.6. Katib-frontend has not patched.\n","user":{"name":"mdfreeman90","email":"michaelfreeman@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-28T15:52:08.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-28T15:54:17.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-32640","source":"twistlock_cve","description":"ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.","package":"ws-5.2.2","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-27T18:51:43.000Z","justification":"Reported on 05/25/2021. Patched upstream in versions 5.2.3, 6.2.2, 7.4.6. Katib-frontend has not patched.\n","user":{"name":"mdfreeman90","email":"michaelfreeman@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-28T15:52:08.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-28T15:54:17.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-32640","source":"anchore_cve","description":"none","package":"ws-5.2.2","packagePath":"/modeldb/frontend/node_modules/node_modules/thrift/node_modules/ws/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-27T18:51:43.000Z","justification":"Reported on 05/25/2021. Patched upstream in versions 5.2.3, 6.2.2, 7.4.6. Katib-frontend has not patched.\n","user":{"name":"mdfreeman90","email":"michaelfreeman@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-28T15:52:08.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-28T15:54:17.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-32640","source":"anchore_cve","description":"none","package":"ws-5.2.2","packagePath":"/modeldb/frontend/node_modules/thrift/node_modules/ws/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-27T18:51:43.000Z","justification":"Reported on 05/25/2021. Patched upstream in versions 5.2.3, 6.2.2, 7.4.6. Katib-frontend has not patched.\n","user":{"name":"mdfreeman90","email":"michaelfreeman@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-28T15:52:08.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-28T15:54:17.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-32640","source":"anchore_cve","description":"none","package":"ws-5.2.2","packagePath":"/opt/package/node_modules/thrift/node_modules/ws/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-27T18:51:43.000Z","justification":"Reported on 05/25/2021. Patched upstream in versions 5.2.3, 6.2.2, 7.4.6. Katib-frontend has not patched.\n","user":{"name":"mdfreeman90","email":"michaelfreeman@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-28T15:52:08.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-28T15:54:17.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-32640","source":"twistlock_cve","description":"ws is an open source WebSocket client and server library for Node.js. A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff). In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the [`--max-http-header-size=size`](https://nodejs.org/api/cli.html#cli_max_http_header_size_size) and/or the [`maxHeaderSize`](https://nodejs.org/api/http.html#http_http_createserver_options_requestlistener) options.","package":"ws-7.4.3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-27T18:51:43.000Z","justification":"Reported on 05/25/2021. Patched upstream in versions 5.2.3, 6.2.2, 7.4.6. Katib-frontend has not patched.\n","user":{"name":"mdfreeman90","email":"michaelfreeman@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-28T15:52:08.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-28T15:54:17.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-32640","source":"anchore_cve","description":"none","package":"ws-7.4.3","packagePath":"/modeldb/frontend/node_modules/node_modules/ws/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-27T18:51:43.000Z","justification":"Reported on 05/25/2021. Patched upstream in versions 5.2.3, 6.2.2, 7.4.6. Katib-frontend has not patched.\n","user":{"name":"mdfreeman90","email":"michaelfreeman@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-28T15:52:08.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-28T15:54:17.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-32640","source":"anchore_cve","description":"none","package":"ws-7.4.3","packagePath":"/opt/package/node_modules/ws/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-27T18:51:43.000Z","justification":"Reported on 05/25/2021. Patched upstream in versions 5.2.3, 6.2.2, 7.4.6. Katib-frontend has not patched.\n","user":{"name":"mdfreeman90","email":"michaelfreeman@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-28T15:52:08.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-28T15:54:17.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33560","source":"anchore_cve","description":"Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.","package":"libgcrypt-1.8.5-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-16T13:44:47.000Z","justification":"Upstream patched on 5/26/21 in version 1.8.8. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-16T13:52:32.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-16T13:54:01.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33560","source":"twistlock_cve","description":"Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.","package":"libgcrypt-1.8.5-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-14T13:18:27.000Z","justification":"Upstream patched on 5/26/21 in version 1.8.8. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-14T13:19:43.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-14T13:20:42.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"anchore_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T18:03:07.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T18:03:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T18:13:50.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"twistlock_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-02T13:31:07.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-02T13:34:26.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-02T13:35:21.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"anchore_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-common-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T18:03:07.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T18:03:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T18:13:50.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"anchore_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-minimal-langpack-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T18:03:07.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T18:03:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T18:13:50.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"twistlock_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3426","source":"anchore_cve","description":"There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.","package":"platform-python-3.6.8-37.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:10.000Z","justification":"No upstream fix is available.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3426","source":"anchore_cve","description":"There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.","package":"python3-libs-3.6.8-37.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:10.000Z","justification":"No upstream fix is available.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:13.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3445","source":"anchore_cve","description":"A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"libdnf-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3445","source":"twistlock_cve","description":"A flaw was found in libdnf\\'s signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"libdnf-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T18:16:40.000Z","justification":"Patched upstream in version 0.60.1 on 4/12/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T18:17:14.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T18:19:19.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3445","source":"anchore_cve","description":"A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"python3-hawkey-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3445","source":"anchore_cve","description":"A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"python3-libdnf-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:13.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3572","source":"anchore_cve","description":"none","package":"python3-pip-wheel-9.0.3-19.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T15:13:07.000Z","justification":"Upstream patched in version 21.1. Red Hat has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T15:13:50.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T15:25:13.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3580","source":"anchore_cve","description":"A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.","package":"nettle-3.4.1-4.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-08T18:20:21.000Z","justification":"Patched upstream in version 3.7.3 on 5/17/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-08T18:20:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-08T18:21:50.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3580","source":"twistlock_cve","description":"A flaw was found in the way nettle\\'s RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.","package":"nettle-3.4.1-4.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-06T03:48:05.000Z","justification":"Patched upstream in version 3.7.3 on 5/17/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-06T13:28:55.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-06T13:31:49.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"anchore_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-07T01:05:57.000Z","justification":"Will be patched upstream in version 2.34 around August 1st. No patch available now.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-07T01:06:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-07T01:13:46.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"twistlock_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-23T15:50:48.000Z","justification":"Upstream patched in version 2.34 which is scheduled to be released on 8/1/21. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-23T18:06:10.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-23T18:09:07.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"anchore_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-common-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-07T01:05:57.000Z","justification":"Will be patched upstream in version 2.34 around August 1st. No patch available now.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-07T01:06:35.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-07T01:13:46.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"anchore_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-minimal-langpack-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-07T01:05:57.000Z","justification":"Will be patched upstream in version 2.34 around August 1st. No patch available now.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-07T01:06:35.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-07T01:13:46.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36084","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T12:55:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-21T13:00:39.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T13:07:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36084","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T18:18:22.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T18:20:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T18:20:45.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36085","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T12:55:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-21T13:00:39.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T13:07:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36085","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T18:18:22.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T18:20:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T18:20:45.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36086","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T12:55:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-21T13:00:39.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T13:07:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36086","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T18:18:22.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T18:20:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T18:20:45.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36087","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T12:55:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-21T13:00:39.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T13:07:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36087","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T18:18:22.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T18:20:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T18:20:45.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36222","source":"anchore_cve","description":"ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.","package":"krb5-libs-1.18.2-8.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-20T13:36:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-20T13:44:32.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-20T13:45:06.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3634","source":"anchore_cve","description":"none","package":"libssh-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-26T20:37:35.000Z","justification":"Reported 7/2/21. RedHat has not patched. ","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-26T20:37:35.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-26T20:38:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3634","source":"anchore_cve","description":"none","package":"libssh-config-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-26T20:37:35.000Z","justification":"Reported 7/2/21. RedHat has not patched. ","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-26T20:37:35.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-26T20:38:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3712","source":"anchore_cve","description":"ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).","package":"openssl-libs-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-25T17:22:33.000Z","justification":"Upstream submitted patches on 08/24/2021 to the 1.1.1 branch. No ETA on finalizing a new 1.1.1 release which contains these patches.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-25T17:39:52.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-25T17:40:38.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3737","source":"anchore_cve","description":"none","package":"platform-python-3.6.8-37.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-26T14:23:26.000Z","justification":"Patched upstream in version 3.6.14 on 6/28/21. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-26T14:23:38.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-26T14:24:02.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3737","source":"anchore_cve","description":"none","package":"python3-libs-3.6.8-37.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-26T14:23:26.000Z","justification":"Patched upstream in version 3.6.14 on 6/28/21. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-26T14:23:38.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-26T14:24:02.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-37701","source":"twistlock_cve","description":"### Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\\\` and `/` characters as path separators, however `\\\\` is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creat","package":"tar-4.4.15","findingsState":"needs_justification"},{"identifier":"CVE-2021-37712","source":"twistlock_cve","description":"### Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained two directories and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 \\\"short path\\\" counterparts. A specially crafted tar archive could thus include directories with two forms of the path that resolve to the same file system entity, followed by a symbolic link with a name in the first form, lastly followed by a file using the second form. It led to bypassing node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. The v3 branch of `node-tar` has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you up","package":"tar-4.4.15","findingsState":"needs_justification"},{"identifier":"CVE-2021-37713","source":"twistlock_cve","description":"### Impact Arbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\\\\path`. If the drive letter does not match the extraction target, for example `D:\\\\extraction\\\\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory. Additionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path. This only affects users of `node-tar` on Windows systems. ### Patches 4.4.18 || 5.0.10 || 6.1.9 ### Workarounds There is no reasonable way to work around this issue without performing the same path normalization procedures that node-ta","package":"tar-4.4.15","findingsState":"needs_justification"},{"identifier":"CVE-2021-37750","source":"anchore_cve","description":"The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.5 and 1.19.x before 1.19.3 has a NULL pointer dereference in kdc/do_tgs_req.c via a FAST inner body that lacks a server field.","package":"krb5-libs-1.18.2-8.el8","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-27T13:49:53.000Z","justification":"Reported 8/23/21, fixed in krb 1.18.5. RedHat has not patched.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-27T13:49:53.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-27T13:50:39.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-2mhh-w6q8-5hxw","source":"anchore_cve","description":"none","package":"ws-0.4.32","packagePath":"/modeldb/frontend/node_modules/ws/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Patched upstream in version 1.0.1 in 2016. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"GHSA-43f8-2h32-f4cj","source":"anchore_cve","description":"none","package":"hosted-git-info-2.4.2","packagePath":"/modeldb/frontend/node_modules/hosted-git-info/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-14T14:38:37.000Z","justification":"Upstream patched in version 2.8.9 on 1/28/2021. katib-frontend has not patched.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-14T14:38:52.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-14T14:40:44.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"GHSA-5v72-xg48-5rpm","source":"anchore_cve","description":"none","package":"ws-0.4.32","packagePath":"/modeldb/frontend/node_modules/ws/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Patched upstream in version 1.1.5 on 11/8/17. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"GHSA-6663-c963-2gqg","source":"anchore_cve","description":"none","package":"ws-0.4.32","packagePath":"/modeldb/frontend/node_modules/ws/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Patched upstream in version 1.1.1 on 6/24/16. Vendor has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"GHSA-6fc8-4gx4-v693","source":"anchore_cve","description":"none","package":"ws-0.4.32","packagePath":"/modeldb/frontend/node_modules/ws/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-27T18:51:43.000Z","justification":"Reported on 05/25/2021. Patched upstream in versions 5.2.3, 6.2.2, 7.4.6. Katib-frontend has not patched. Related to CVE-2021-32640.\n","user":{"name":"mdfreeman90","email":"michaelfreeman@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-07-28T15:52:08.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-28T15:54:17.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"GHSA-7mc5-chhp-fmc3","source":"anchore_cve","description":"none","package":"negotiator-0.5.3","packagePath":"/modeldb/frontend/node_modules/negotiator/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Patched upstream in 0.6.1 on 5/2/16. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"GHSA-9qj9-36jm-prpv","source":"anchore_cve","description":"none","package":"fresh-0.3.0","packagePath":"/modeldb/frontend/node_modules/fresh/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 6/6/2018. fix in 0.5.2. upstream committed four years ago. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"GHSA-gqgv-6jq5-jjj9","source":"anchore_cve","description":"none","package":"qs-4.0.0","packagePath":"/modeldb/frontend/node_modules/express/node_modules/qs/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Patched upstream in version 6.2.3 on 3/6/17. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"GHSA-gqgv-6jq5-jjj9","source":"anchore_cve","description":"none","package":"qs-6.2.0","packagePath":"/modeldb/frontend/node_modules/qs/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Patched upstream in version 6.2.3 on 3/6/17. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"GHSA-gwg9-rgvj-4h5j","source":"anchore_cve","description":"none","package":"morgan-1.7.0","packagePath":"/modeldb/frontend/node_modules/morgan/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 3/21/2019. fix in 1.9.1 on 9/10/18. Vendor has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"GHSA-gxpj-cx7g-858c","source":"anchore_cve","description":"none","package":"debug-2.2.0","packagePath":"/modeldb/frontend/node_modules/debug/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Patched upstream in version 2.6.9 on 9/2017. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:06.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"GHSA-mpcf-4gmh-23w8","source":"anchore_cve","description":"none","package":"forwarded-0.1.0","packagePath":"/modeldb/frontend/node_modules/forwarded/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 6/6/2018. upstream lpatched in v 0.1.2 on 9/14/17 . Vendor has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"GHSA-p9pc-299p-vxgp","source":"anchore_cve","description":"none","package":"yargs-parser-5.0.0","packagePath":"/modeldb/frontend/node_modules/yargs-parser/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Reported on 3/16/2020. fix in 13.1.2. upstream committed two year ago. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"GHSA-wrvr-8mpx-r7pp","source":"anchore_cve","description":"none","package":"mime-1.3.4","packagePath":"/modeldb/frontend/node_modules/mime/package.json","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-14T18:55:25.000Z","justification":"Patched upstream in version 1.4.1 on 9/2017. katib-frontend has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-14T19:00:07.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-27T16:46:56.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"PRISMA-2021-0096","source":"twistlock_cve","description":"tar package versions before 6.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS). When stripping the trailing slash from `files` arguments, we were using `f.replace(/\\\\/+$/, \\'\\')`, which can get exponentially slow when `f` contains many `/` characters. This is \\\"\\\"unlikely but theoretically possible\\\"\\\" because it requires that the user is passing untrusted input into the `tar.extract()` or `tar.list()` array of entries to parse/extract, which would be quite unusual.","package":"tar-4.4.15","findingsState":"needs_justification"}],"digest":"500b15d1f516f8be2fa6b641602599418065e1a3707c19a5c1c9b999141270b1"} INFO: POST Response: 201 section_end:1630435934:step_script section_start:1630435934:upload_artifacts_on_success Uploading artifacts for successful job Uploading artifacts... ci-artifacts/vat_request.json: found 1 matching files and directories Uploading artifacts as "archive" to coordinator... ok id=6112182 responseStatus=201 Created token=8PPnhDq9 section_end:1630435935:upload_artifacts_on_success section_start:1630435935:cleanup_file_variables Cleaning up file based variables section_end:1630435935:cleanup_file_variables Job succeeded