UNCLASSIFIED - NO CUI

Skip to content

chore(findings): opensource/apache/apache-ant110-openjdk-11

Summary

opensource/apache/apache-ant110-openjdk-11 has 79 new findings discovered during continuous monitoring.

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=opensource/apache/apache-ant110-openjdk-11&tag=1.10.15&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id source severity package impact workaround epss_score kev
CVE-2018-19210 Twistlock CVE Low libtiff-4.0.9-35.el8_10 0.02369 false
CVE-2018-19210 Anchore CVE Low libtiff-4.0.9-35.el8_10 0.02369 false
CVE-2018-16335 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.02290 false
CVE-2018-16335 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.02290 false
CVE-2019-6128 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.01205 false
CVE-2019-6128 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.01205 false
CVE-2018-10779 Twistlock CVE Low libtiff-4.0.9-35.el8_10 0.00640 false
CVE-2018-10779 Anchore CVE Low libtiff-4.0.9-35.el8_10 0.00640 false
CVE-2018-17101 Twistlock CVE Low libtiff-4.0.9-35.el8_10 0.00568 false
CVE-2018-17101 Anchore CVE Low libtiff-4.0.9-35.el8_10 0.00568 false
CVE-2018-5360 Twistlock CVE Low libtiff-4.0.9-35.el8_10 0.00459 false
CVE-2018-5360 Anchore CVE Low libtiff-4.0.9-35.el8_10 0.00459 false
CVE-2023-6277 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00418 false
CVE-2023-6277 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00418 false
CVE-2018-10801 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00403 false
CVE-2018-10801 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00403 false
CVE-2023-41175 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00260 false
CVE-2023-41175 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00260 false
CVE-2023-40745 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00259 false
CVE-2023-40745 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00259 false
CVE-2023-3618 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00199 false
CVE-2023-3618 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00199 false
CVE-2023-25434 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00160 false
CVE-2023-25434 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00160 false
CVE-2023-52355 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00119 false
CVE-2023-52355 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00119 false
CVE-2022-1056 Twistlock CVE Low libtiff-4.0.9-35.el8_10 0.00074 false
CVE-2022-1056 Anchore CVE Low libtiff-4.0.9-35.el8_10 0.00074 false
CVE-2023-30775 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00053 false
CVE-2023-30775 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00053 false
CVE-2023-30086 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00048 false
CVE-2023-30086 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00048 false
CVE-2022-3599 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00047 false
CVE-2022-3599 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00047 false
CVE-2022-1354 Twistlock CVE Low libtiff-4.0.9-35.el8_10 0.00043 false
CVE-2022-1354 Anchore CVE Low libtiff-4.0.9-35.el8_10 0.00043 false
CVE-2022-3598 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00036 false
CVE-2022-3598 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00036 false
CVE-2025-8961 Twistlock CVE Low libtiff-4.0.9-35.el8_10 0.00034 false
CVE-2025-8961 Anchore CVE Low libtiff-4.0.9-35.el8_10 0.00034 false
CVE-2023-25435 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00033 false
CVE-2023-25435 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00033 false
CVE-2024-13978 Twistlock CVE Low libtiff-4.0.9-35.el8_10 0.00027 false
CVE-2024-13978 Anchore CVE Low libtiff-4.0.9-35.el8_10 0.00027 false
CVE-2023-3576 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00026 false
CVE-2023-3576 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00026 false
CVE-2023-26966 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00026 false
CVE-2023-26966 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00026 false
CVE-2025-9165 Anchore CVE Low libtiff-4.0.9-35.el8_10 0.00024 false
CVE-2020-18768 Twistlock CVE Low libtiff-4.0.9-35.el8_10 0.00024 false
CVE-2020-18768 Anchore CVE Low libtiff-4.0.9-35.el8_10 0.00024 false
CVE-2023-3316 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00022 false
CVE-2023-3316 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00022 false
CVE-2023-30774 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00022 false
CVE-2023-30774 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00022 false
CVE-2025-8851 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00021 false
CVE-2025-8851 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00021 false
CVE-2025-8176 Twistlock CVE High libtiff-4.0.9-35.el8_10 0.00017 false
CVE-2025-8176 Anchore CVE High libtiff-4.0.9-35.el8_10 0.00017 false
CVE-2023-1916 Twistlock CVE Low libtiff-4.0.9-35.el8_10 0.00017 false
CVE-2023-1916 Anchore CVE Low libtiff-4.0.9-35.el8_10 0.00017 false
CVE-2023-0799 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00017 false
CVE-2023-0799 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00017 false
CVE-2023-0798 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00015 false
CVE-2023-0798 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00015 false
CVE-2023-0797 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00015 false
CVE-2023-0797 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00015 false
CVE-2023-0796 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00015 false
CVE-2023-0796 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00015 false
CVE-2023-0795 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00015 false
CVE-2023-0795 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00015 false
CVE-2022-40090 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00012 false
CVE-2022-40090 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00012 false
CVE-2023-3164 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00010 false
CVE-2023-3164 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00010 false
CVE-2022-3570 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00010 false
CVE-2022-3570 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00010 false
CVE-2023-26965 Twistlock CVE Medium libtiff-4.0.9-35.el8_10 0.00009 false
CVE-2023-26965 Anchore CVE Medium libtiff-4.0.9-35.el8_10 0.00009 false

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=opensource/apache/apache-ant110-openjdk-11&tag=1.10.15&branch=master

Novel Tidelift Findings (Experimental)

opensource/apache/apache-ant110-openjdk-11 has 18 novel Tidelift findings discovered during continuous monitoring.

NOTE: This table is for Iron Bank evaluation and testing purposes. No action required by vendors.

id cvss score package impact workaround epss_score kev
CVE-2019-9740 6.1 urllib3-1.24.2 Its unlikely for an attacker to control the URL youre fetching. 0.11774 false
CVE-2016-5699 6.1 urllib3-1.24.2 Its unlikely for an attacker to control URLs. Reject URLs with rn or encode those characters. 0.11628 false
CVE-2023-32681 6.1 requests-2.20.0 Requires that deployment or integration of requests is being used to a connect to untrusted hosts b is connecting over HTTPS and c is using proxies to do so. 0.06121 false
CVE-2024-6345 8.8 setuptools-39.2.0 Most users have migrated off of the code paths that are affected. The affected code paths are actively deprecated and planned for turn down. Only specialized and legacy workflows are affected. Use recommended installers pip, uv, build, system package managers to install all packages from trusted indexes. If working with untrusted content in private indexes, consider scanning for malicious code in the package index pages. 0.04362 false
CVE-2019-11324 7.5 urllib3-1.24.2 cacerts is a commonly used parameter. 0.01415 false
CVE-2019-9947 6.1 urllib3-1.24.2 Its unlikely for an attacker to control an URL. Reject URLs with rn or encode those characters. 0.01184 false
CVE-2021-33503 7.5 urllib3-1.24.2 Attackers dont usually control the URLs that urllib3 fetches. Its possible but inconvenient to filter URLs with many . 0.00863 false
CVE-2019-11236 6.1 urllib3-1.24.2 Its unlikely for an attacker to control an URL. Reject queries with rn or encode those characters. 0.00586 false
CVE-2023-43804 8.1 urllib3-1.24.2 Usage of the Cookie header is rare with urllib3. This is more common and useful in browsers. Redirections to another origin are also not the common case. 0.00472 false
CVE-2022-40897 7.5 setuptools-39.2.0 Code path is deprecated. 0.00339 false
CVE-2024-3651 7.5 idna-2.5 0.00338 false
CVE-2020-26137 6.5 urllib3-1.24.2 Its unlikely to use putrequest which is not documented as part of urllib3s API, but only inherited from http.client. 0.00239 false
CVE-2024-37891 4.4 urllib3-1.24.2 Theres no reason to set ProxyAuthorization without using urllib3s proxy support. Using the ProxyAuthorization header with urllib3s ProxyManager. Disabling HTTP redirects using redirectsFalse when sending requests. Not using the ProxyAuthorization header. 0.00142 false
CVE-2024-47081 5.3 requests-2.20.0 0.00104 false
CVE-2025-47273 7.7 setuptools-39.2.0 0.00077 false
CVE-2023-45803 4.2 urllib3-1.24.2 No exploits from real world were reported Disable redirects for services that you arent expecting to respond with redirects with redirectsFalse.Disable automatic redirects with redirectsFalse and handle 303 redirects manually by stripping the HTTP request body. 0.00055 false
CVE-2024-35195 5.6 requests-2.20.0 0.00044 false
CVE-2025-50182 5.3 urllib3-1.24.2 Pyodide is extremely rare configuration for users in production. 0.00014 false

Tasks

Contributor:

  • Apply the StatusReview label to this issue for a merge request review and wait for feedback

OR

  • Provide justifications for findings in the VAT (docs)
  • Apply the StatusVerification label to this issue for a VAT justifications review and wait for feedback

Iron Bank:

  • Review findings and justifications

Note: If the above process is rejected for any reason, the Review or Verification label will be removed and the issue will be sent back to To-Do. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Review or Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI