chore(findings): montuno/dosecast/dosecastwebapp
Summary
montuno/dosecast/dosecastwebapp has 93 new findings discovered during continuous monitoring.
id | source | severity | package |
---|---|---|---|
GHSA-hfrx-6qgj-fp6c | Anchore CVE | High | commons-fileupload-1.4 |
GHSA-gv87-q66h-4277 | Anchore CVE | Critical | itextpdf-5.5.12 |
CVE-2023-20861 | Anchore CVE | Medium | spring-core-5.3.23 |
CVE-2023-20861 | Anchore CVE | Medium | spring-core-5.3.24 |
CVE-2023-20860 | Anchore CVE | High | spring-core-5.3.24 |
CVE-2023-20860 | Anchore CVE | High | spring-core-5.3.23 |
GHSA-3vqj-43w4-2q58 | Anchore CVE | High | json-20190722 |
GHSA-3vqj-43w4-2q58 | Anchore CVE | High | json-20160212 |
CVE-2023-20863 | Anchore CVE | Medium | spring-core-5.3.23 |
CVE-2023-20863 | Anchore CVE | Medium | spring-core-5.3.24 |
GHSA-7g45-4rm6-3mm3 | Anchore CVE | Medium | guava-30.1.1-jre |
CVE-2023-35116 | Anchore CVE | Medium | jackson-databind-2.14.1 |
GHSA-7g45-4rm6-3mm3 | Anchore CVE | Medium | guava-30.1.1-jre |
CVE-2023-35116 | Anchore CVE | Medium | jackson-databind-2.14.1 |
CVE-2023-35116 | Anchore CVE | Medium | jackson-databind-2.14.1 |
CVE-2023-34034 | Anchore CVE | Critical | spring-security-core-5.7.6 |
GHSA-5mg8-w23w-74h3 | Anchore CVE | Low | guava-30.1.1-jre |
CVE-2023-20862 | Anchore CVE | Medium | spring-security-core-5.7.6 |
CVE-2023-0687 | Anchore CVE | Medium | glibc-gconv-extra-2.28-225.el8 |
CVE-2023-34034 | Anchore CVE | Critical | spring-security-core-5.7.6 |
CVE-2023-0687 | Anchore CVE | Medium | glibc-langpack-en-2.28-225.el8 |
CVE-2023-20862 | Anchore CVE | Medium | spring-security-core-5.7.6 |
CVE-2023-3446 | Anchore CVE | Low | openssl-1:1.1.1k-9.el8_7 |
GHSA-5mg8-w23w-74h3 | Anchore CVE | Low | guava-30.1.1-jre |
CVE-2021-29390 | Anchore CVE | Medium | libjpeg-turbo-1.5.3-12.el8 |
CVE-2023-41080 | Anchore CVE | Medium | tomcat-jdbc-9.0.70 |
CVE-2023-4527 | Anchore CVE | Medium | glibc-langpack-en-2.28-225.el8 |
CVE-2023-4813 | Anchore CVE | Medium | glibc-langpack-en-2.28-225.el8 |
CVE-2023-4806 | Anchore CVE | Medium | glibc-gconv-extra-2.28-225.el8 |
CVE-2023-4813 | Anchore CVE | Medium | glibc-gconv-extra-2.28-225.el8 |
CVE-2023-4527 | Anchore CVE | Medium | glibc-gconv-extra-2.28-225.el8 |
CVE-2023-4806 | Anchore CVE | Medium | glibc-langpack-en-2.28-225.el8 |
CVE-2019-25033 | Anchore CVE | Medium | unbound-libs-1.16.2-5.el8 |
CVE-2019-25033 | Anchore CVE | Medium | python3-unbound-1.16.2-5.el8 |
CVE-2023-25193 | Anchore CVE | Medium | harfbuzz-1.7.5-3.el8 |
CVE-2023-5156 | Anchore CVE | Medium | glibc-gconv-extra-2.28-225.el8 |
CVE-2023-5156 | Anchore CVE | Medium | glibc-langpack-en-2.28-225.el8 |
CVE-2023-4911 | Anchore CVE | High | glibc-langpack-en-2.28-225.el8 |
CVE-2023-4911 | Anchore CVE | High | glibc-gconv-extra-2.28-225.el8 |
CVE-2023-25193 | Twistlock CVE | Medium | harfbuzz-1.7.5-3.el8 |
CVE-2023-24998 | Twistlock CVE | High | commons-fileupload_commons-fileupload-1.4 |
CVE-2021-43113 | Twistlock CVE | Critical | com.itextpdf_itextpdf-5.5.12 |
CVE-2023-0464 | Twistlock CVE | Low | openssl-1.1.1k-9.el8_7 |
CVE-2023-0466 | Twistlock CVE | Low | openssl-1.1.1k-9.el8_7 |
CVE-2023-0465 | Twistlock CVE | Low | openssl-1.1.1k-9.el8_7 |
CVE-2016-1000027 | Twistlock CVE | Critical | spring-web-5.3.24 |
PRISMA-2022-0168 | Twistlock CVE | High | pip-9.0.3 |
CVE-2023-20860 | Twistlock CVE | High | spring-web-5.3.24 |
CVE-2022-45143 | Twistlock CVE | High | tomcat-embed-core-9.0.68 |
CVE-2023-20861 | Twistlock CVE | Medium | spring-web-5.3.24 |
CVE-2023-28708 | Twistlock CVE | Medium | tomcat-embed-core-9.0.68 |
CVE-2023-20863 | Twistlock CVE | Medium | spring-web-5.3.24 |
CVE-2023-20862 | Twistlock CVE | Medium | spring-security-core-5.7.6 |
PRISMA-2023-0067 | Twistlock CVE | High | com.fasterxml.jackson.core_jackson-core-2.13.4 |
PRISMA-2023-0067 | Twistlock CVE | High | com.fasterxml.jackson.core_jackson-core-2.14.1 |
CVE-2020-1938 | Twistlock CVE | Critical | tomcat-util-9.0 |
CVE-2018-8014 | Twistlock CVE | Critical | tomcat-util-9.0 |
CVE-2022-25762 | Twistlock CVE | High | tomcat-util-9.0 |
CVE-2017-12617 | Twistlock CVE | High | tomcat-util-9.0 |
CVE-2022-42252 | Twistlock CVE | High | tomcat-util-9.0 |
CVE-2021-41079 | Twistlock CVE | High | tomcat-util-9.0 |
CVE-2021-25122 | Twistlock CVE | High | tomcat-util-9.0 |
CVE-2020-11996 | Twistlock CVE | High | tomcat-util-9.0 |
CVE-2019-17563 | Twistlock CVE | High | tomcat-util-9.0 |
CVE-2021-25329 | Twistlock CVE | High | tomcat-util-9.0 |
CVE-2019-12418 | Twistlock CVE | High | tomcat-util-9.0 |
CVE-2021-30640 | Twistlock CVE | Medium | tomcat-util-9.0 |
CVE-2018-1305 | Twistlock CVE | Medium | tomcat-util-9.0 |
CVE-2018-8037 | Twistlock CVE | Medium | tomcat-util-9.0 |
CVE-2018-1304 | Twistlock CVE | Medium | tomcat-util-9.0 |
CVE-2020-1935 | Twistlock CVE | Medium | tomcat-util-9.0 |
CVE-2018-11784 | Twistlock CVE | Medium | tomcat-util-9.0 |
CVE-2021-43980 | Twistlock CVE | Low | tomcat-util-9.0 |
CVE-2023-20883 | Twistlock CVE | High | spring-boot-autoconfigure-2.7.7 |
CVE-2023-2650 | Twistlock CVE | Low | openssl-1.1.1k-9.el8_7 |
CVE-2023-3446 | Twistlock CVE | Low | openssl-1.1.1k-9.el8_7 |
CVE-2023-34034 | Twistlock CVE | Critical | spring-security-core-5.7.6 |
CVE-2023-34034 | Twistlock CVE | Critical | spring-security-config-5.7.6 |
CVE-2023-3817 | Twistlock CVE | Low | openssl-1.1.1k-9.el8_7 |
CVE-2022-1471 | Twistlock CVE | Critical | org.yaml_snakeyaml-1.33 |
CVE-2021-29390 | Twistlock CVE | Medium | libjpeg-turbo-1.5.3-12.el8 |
CVE-2023-41080 | Twistlock CVE | Medium | tomcat-util-9.0 |
CVE-2023-41080 | Twistlock CVE | Medium | tomcat-embed-core-9.0.68 |
CVE-2023-33201 | Twistlock CVE | Medium | org.bouncycastle_bcprov-jdk15on-1.68 |
CVE-2023-4527 | Twistlock CVE | Medium | glibc-langpack-en-2.28-225.el8 |
CVE-2023-4813 | Twistlock CVE | Medium | glibc-langpack-en-2.28-225.el8 |
CVE-2023-4806 | Twistlock CVE | Medium | glibc-langpack-en-2.28-225.el8 |
CVE-2022-1471 | Twistlock CVE | Critical | org.yaml_snakeyaml-1.32 |
CVE-2020-17527 | Twistlock CVE | High | tomcat-coyote-9.0 |
CVE-2023-2976 | Twistlock CVE | High | com.google.guava_guava-30.1.1 |
CVE-2020-8908 | Twistlock CVE | Low | com.google.guava_guava-30.1.1 |
CVE-2020-13943 | Twistlock CVE | Medium | tomcat-coyote-9.0 |
CVE-2023-4911 | Twistlock CVE | Critical | glibc-langpack-en-2.28-225.el8 |
VAT: https://vat.dso.mil/vat/image?imageName=montuno/dosecast/dosecastwebapp&tag=1.0.4&branch=master
More information can be found in the failed pipeline located here: https://repo1.dso.mil/dsop/montunohealth/dosecast/dosecastwebapp/-/jobs/23470613
Tasks
Contributor:
-
Provide justifications for findings in the VAT (docs) -
Apply the ~"Hardening::Verification" label to this issue and wait for feedback
Iron Bank:
-
Review findings and justifications
Note: If the above process is rejected for any reason, the
Verification
label will be removed and the issue will be sent back toOpen
. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add theVerification
label.
Questions?
Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding
.
Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.