chore(findings): opensource/ceph/ceph (arm64) (#365) · Issues · Iron Bank Containers / Opensource / ceph / ceph

chore(findings): opensource/ceph/ceph (arm64)

## Summary opensource/ceph/ceph (arm64) has 325 new findings discovered during continuous monitoring. More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=opensource/ceph/ceph&tag=v20.2.1-arm64&branch=master EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild. KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA. id | source | severity | package | impact | workaround | epss_score | kev -- | ------ | -------- | ------- | ------ | ---------- | ---------- | --- CVE-2023-0286 | Twistlock CVE | High | cryptography-36.0.1-5.el9 | | | 0.88452 | false CVE-2024-49767 | Twistlock CVE | Medium | werkzeug-2.0.3-3.el9.1 | Assuming the other conditions listed are met, then it is possible to exploit this. | Configure Request.maxcontentlength. | 0.00938 | false CVE-2023-46445 | Twistlock CVE | Medium | asyncssh-2.13.2-5.el9 | | | 0.00448 | false CVE-2023-46446 | Twistlock CVE | Medium | asyncssh-2.13.2-5.el9 | | | 0.00388 | false CVE-2022-36087 | Twistlock CVE | Medium | oauthlib-3.1.1-5.el9 | A minor version update is good enough to get rid of this. | | 0.00366 | false CVE-2026-33278 | Twistlock CVE | High | unbound-1.24.2-2.el9 | | | 0.00244 | false CVE-2026-33278 | Anchore CVE | High | unbound-libs-1.24.2-2.el9 | | | 0.00244 | false CVE-2021-3572 | Anchore CVE | Low | python3-pip-wheel-21.3.1-2.el9_8 | | | 0.00240 | false CVE-2024-0727 | Twistlock CVE | Low | cryptography-36.0.1-5.el9 | | | 0.00231 | false CVE-2026-42009 | Twistlock CVE | High | gnutls-3.8.10-3.el9 | | | 0.00224 | false CVE-2026-42009 | Anchore CVE | High | gnutls-utils-3.8.10-3.el9 | | | 0.00224 | false CVE-2026-42009 | Anchore CVE | High | gnutls-3.8.10-3.el9 | | | 0.00224 | false CVE-2026-42009 | Anchore CVE | High | gnutls-dane-3.8.10-3.el9 | | | 0.00224 | false CVE-2025-32728 | Twistlock CVE | Medium | openssh-9.9p1-7.el9_8 | | | 0.00220 | false CVE-2025-32728 | Anchore CVE | Medium | openssh-9.9p1-7.el9_8 | | | 0.00220 | false CVE-2025-32728 | Anchore CVE | Medium | openssh-clients-9.9p1-7.el9_8 | | | 0.00220 | false CVE-2025-32728 | Anchore CVE | Medium | openssh-server-9.9p1-7.el9_8 | | | 0.00220 | false CVE-2026-28390 | Twistlock CVE | Medium | samba-0:4.23.5-6.el9 | | | 0.00140 | false CVE-2026-28390 | Twistlock CVE | Medium | openssl-1:3.5.5-1.el9 | | | 0.00140 | false CVE-2026-28390 | Anchore CVE | Medium | openssl-libs-1:3.5.5-1.el9 | | | 0.00140 | false CVE-2026-28390 | Anchore CVE | Medium | libwbclient-0:4.23.5-6.el9 | | | 0.00140 | false CVE-2026-28390 | Anchore CVE | Medium | samba-common-0:4.23.5-6.el9 | | | 0.00140 | false CVE-2026-28390 | Anchore CVE | Medium | libldb-0:4.23.5-6.el9 | | | 0.00140 | false CVE-2026-28390 | Anchore CVE | Medium | openssl-1:3.5.5-1.el9 | | | 0.00140 | false CVE-2026-28390 | Anchore CVE | Medium | samba-common-libs-0:4.23.5-6.el9 | | | 0.00140 | false CVE-2026-28390 | Anchore CVE | Medium | openssl-fips-provider-1:3.5.5-1.el9 | | | 0.00140 | false CVE-2026-28390 | Anchore CVE | Medium | samba-client-libs-0:4.23.5-6.el9 | | | 0.00140 | false CVE-2023-33953 | Twistlock CVE | High | grpcio-1.46.7-10.el9 | | | 0.00116 | false CVE-2026-28389 | Twistlock CVE | Low | openssl-1:3.5.5-1.el9 | | | 0.00113 | false CVE-2026-28389 | Anchore CVE | Low | openssl-libs-1:3.5.5-1.el9 | | | 0.00113 | false CVE-2026-28389 | Anchore CVE | Low | openssl-1:3.5.5-1.el9 | | | 0.00113 | false CVE-2026-28389 | Anchore CVE | Low | openssl-fips-provider-1:3.5.5-1.el9 | | | 0.00113 | false CVE-2026-3833 | Twistlock CVE | Medium | gnutls-3.8.10-3.el9 | | | 0.00101 | false CVE-2026-3833 | Anchore CVE | Medium | gnutls-3.8.10-3.el9 | | | 0.00101 | false CVE-2026-3833 | Anchore CVE | Medium | gnutls-utils-3.8.10-3.el9 | | | 0.00101 | false CVE-2026-3833 | Anchore CVE | Medium | gnutls-dane-3.8.10-3.el9 | | | 0.00101 | false CVE-2026-33948 | Twistlock CVE | Low | jq-1.6-19.el9_8.2 | | | 0.00101 | false CVE-2026-33948 | Anchore CVE | Low | jq-1.6-19.el9_8.2 | | | 0.00101 | false CVE-2026-23949 | Twistlock CVE | Low | jaraco.context-6.0.1-3.el9 | | | 0.00101 | false CVE-2025-15224 | Twistlock CVE | Low | curl-7.76.1-41.el9 | | | 0.00098 | false CVE-2025-15224 | Anchore CVE | Low | curl-minimal-7.76.1-41.el9 | | | 0.00098 | false CVE-2025-15224 | Anchore CVE | Low | libcurl-minimal-7.76.1-41.el9 | | | 0.00098 | false CVE-2025-50181 | Twistlock CVE | Medium | python-pip-21.3.1-2.el9_8 | | | 0.00087 | false CVE-2025-50181 | Anchore CVE | Medium | python3-pip-wheel-21.3.1-2.el9_8 | | | 0.00087 | false CVE-2026-4437 | Twistlock CVE | Medium | glibc-2.34-266.el9_8 | | | 0.00085 | false CVE-2026-4437 | Anchore CVE | Medium | glibc-2.34-266.el9_8 | | | 0.00085 | false CVE-2026-4437 | Anchore CVE | Medium | glibc-gconv-extra-2.34-266.el9_8 | | | 0.00085 | false CVE-2026-4437 | Anchore CVE | Medium | glibc-devel-2.34-266.el9_8 | | | 0.00085 | false CVE-2026-4437 | Anchore CVE | Medium | glibc-minimal-langpack-2.34-266.el9_8 | | | 0.00085 | false CVE-2026-4437 | Anchore CVE | Medium | glibc-common-2.34-266.el9_8 | | | 0.00085 | false CVE-2026-4437 | Anchore CVE | Medium | glibc-langpack-en-2.34-266.el9_8 | | | 0.00085 | false CVE-2026-4046 | Twistlock CVE | Medium | glibc-2.34-266.el9_8 | | | 0.00080 | false CVE-2026-4046 | Anchore CVE | Medium | glibc-minimal-langpack-2.34-266.el9_8 | | | 0.00080 | false CVE-2026-4046 | Anchore CVE | Medium | glibc-2.34-266.el9_8 | | | 0.00080 | false CVE-2026-4046 | Anchore CVE | Medium | glibc-devel-2.34-266.el9_8 | | | 0.00080 | false CVE-2026-4046 | Anchore CVE | Medium | glibc-langpack-en-2.34-266.el9_8 | | | 0.00080 | false CVE-2026-4046 | Anchore CVE | Medium | glibc-common-2.34-266.el9_8 | | | 0.00080 | false CVE-2026-4046 | Anchore CVE | Medium | glibc-gconv-extra-2.34-266.el9_8 | | | 0.00080 | false CVE-2025-13151 | Twistlock CVE | Low | libtasn1-4.16.0-9.el9 | | | 0.00080 | false CVE-2026-7168 | Twistlock CVE | Medium | curl-7.76.1-41.el9 | | | 0.00079 | false CVE-2026-7168 | Anchore CVE | Medium | curl-minimal-7.76.1-41.el9 | | | 0.00079 | false CVE-2026-7168 | Anchore CVE | Medium | libcurl-minimal-7.76.1-41.el9 | | | 0.00079 | false CVE-2026-1965 | Twistlock CVE | Medium | curl-7.76.1-41.el9 | | | 0.00073 | false CVE-2026-1965 | Anchore CVE | Medium | curl-minimal-7.76.1-41.el9 | | | 0.00073 | false CVE-2026-1965 | Anchore CVE | Medium | libcurl-minimal-7.76.1-41.el9 | | | 0.00073 | false CVE-2025-50182 | Twistlock CVE | Medium | python-pip-21.3.1-2.el9_8 | | | 0.00073 | false CVE-2025-50182 | Anchore CVE | Medium | python3-pip-wheel-21.3.1-2.el9_8 | | | 0.00073 | false CVE-2026-42010 | Twistlock CVE | High | gnutls-3.8.10-3.el9 | | | 0.00070 | false CVE-2026-42010 | Anchore CVE | High | gnutls-dane-3.8.10-3.el9 | | | 0.00070 | false CVE-2026-42010 | Anchore CVE | High | gnutls-3.8.10-3.el9 | | | 0.00070 | false CVE-2026-42010 | Anchore CVE | High | gnutls-utils-3.8.10-3.el9 | | | 0.00070 | false CVE-2026-6732 | Twistlock CVE | Medium | libxml2-2.9.13-14.el9_7 | | | 0.00060 | false CVE-2026-6732 | Anchore CVE | Medium | libxml2-2.9.13-14.el9_7 | | | 0.00060 | false CVE-2026-34743 | Twistlock CVE | Medium | xz-5.2.5-8.el9_0 | | | 0.00060 | false CVE-2026-34743 | Anchore CVE | Medium | xz-libs-5.2.5-8.el9_0 | | | 0.00060 | false CVE-2026-32284 | Twistlock CVE | Medium | python-pip-21.3.1-2.el9_8 | | | 0.00059 | false CVE-2026-32284 | Anchore CVE | Medium | python3-pip-wheel-21.3.1-2.el9_8 | | | 0.00059 | false CVE-2026-32316 | Twistlock CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00058 | false CVE-2026-32316 | Anchore CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00058 | false CVE-2026-4438 | Twistlock CVE | Low | glibc-2.34-266.el9_8 | | | 0.00056 | false CVE-2026-4438 | Anchore CVE | Low | glibc-langpack-en-2.34-266.el9_8 | | | 0.00056 | false CVE-2026-4438 | Anchore CVE | Low | glibc-2.34-266.el9_8 | | | 0.00056 | false CVE-2026-4438 | Anchore CVE | Low | glibc-minimal-langpack-2.34-266.el9_8 | | | 0.00056 | false CVE-2026-4438 | Anchore CVE | Low | glibc-common-2.34-266.el9_8 | | | 0.00056 | false CVE-2026-4438 | Anchore CVE | Low | glibc-devel-2.34-266.el9_8 | | | 0.00056 | false CVE-2026-4438 | Anchore CVE | Low | glibc-gconv-extra-2.34-266.el9_8 | | | 0.00056 | false CVE-2023-45803 | Twistlock CVE | Medium | python-pip-21.3.1-2.el9_8 | | | 0.00056 | false CVE-2023-45803 | Anchore CVE | Medium | python3-pip-wheel-21.3.1-2.el9_8 | | | 0.00056 | false CVE-2026-33845 | Twistlock CVE | High | gnutls-3.8.10-3.el9 | | | 0.00055 | false CVE-2026-33845 | Anchore CVE | High | gnutls-utils-3.8.10-3.el9 | | | 0.00055 | false CVE-2026-33845 | Anchore CVE | High | gnutls-3.8.10-3.el9 | | | 0.00055 | false CVE-2026-33845 | Anchore CVE | High | gnutls-dane-3.8.10-3.el9 | | | 0.00055 | false CVE-2026-5450 | Twistlock CVE | Medium | glibc-2.34-266.el9_8 | | | 0.00054 | false CVE-2026-5450 | Anchore CVE | Medium | glibc-langpack-en-2.34-266.el9_8 | | | 0.00054 | false CVE-2026-5450 | Anchore CVE | Medium | glibc-gconv-extra-2.34-266.el9_8 | | | 0.00054 | false CVE-2026-5450 | Anchore CVE | Medium | glibc-common-2.34-266.el9_8 | | | 0.00054 | false CVE-2026-5450 | Anchore CVE | Medium | glibc-minimal-langpack-2.34-266.el9_8 | | | 0.00054 | false CVE-2026-5450 | Anchore CVE | Medium | glibc-2.34-266.el9_8 | | | 0.00054 | false CVE-2026-5450 | Anchore CVE | Medium | glibc-devel-2.34-266.el9_8 | | | 0.00054 | false CVE-2026-5928 | Twistlock CVE | Medium | glibc-2.34-266.el9_8 | | | 0.00050 | false CVE-2026-5928 | Anchore CVE | Medium | glibc-langpack-en-2.34-266.el9_8 | | | 0.00050 | false CVE-2026-5928 | Anchore CVE | Medium | glibc-gconv-extra-2.34-266.el9_8 | | | 0.00050 | false CVE-2026-5928 | Anchore CVE | Medium | glibc-common-2.34-266.el9_8 | | | 0.00050 | false CVE-2026-5928 | Anchore CVE | Medium | glibc-minimal-langpack-2.34-266.el9_8 | | | 0.00050 | false CVE-2026-5928 | Anchore CVE | Medium | glibc-devel-2.34-266.el9_8 | | | 0.00050 | false CVE-2026-5928 | Anchore CVE | Medium | glibc-2.34-266.el9_8 | | | 0.00050 | false CVE-2025-15079 | Twistlock CVE | Low | curl-7.76.1-41.el9 | | | 0.00047 | false CVE-2025-15079 | Anchore CVE | Low | curl-minimal-7.76.1-41.el9 | | | 0.00047 | false CVE-2025-15079 | Anchore CVE | Low | libcurl-minimal-7.76.1-41.el9 | | | 0.00047 | false CVE-2026-5435 | Twistlock CVE | Medium | glibc-2.34-266.el9_8 | | | 0.00045 | false CVE-2026-5435 | Anchore CVE | Medium | glibc-devel-2.34-266.el9_8 | | | 0.00045 | false CVE-2026-5435 | Anchore CVE | Medium | glibc-langpack-en-2.34-266.el9_8 | | | 0.00045 | false CVE-2026-5435 | Anchore CVE | Medium | glibc-gconv-extra-2.34-266.el9_8 | | | 0.00045 | false CVE-2026-5435 | Anchore CVE | Medium | glibc-2.34-266.el9_8 | | | 0.00045 | false CVE-2026-5435 | Anchore CVE | Medium | glibc-common-2.34-266.el9_8 | | | 0.00045 | false CVE-2026-5435 | Anchore CVE | Medium | glibc-minimal-langpack-2.34-266.el9_8 | | | 0.00045 | false CVE-2026-42944 | Twistlock CVE | High | unbound-1.24.2-2.el9 | | | 0.00045 | false CVE-2026-42944 | Anchore CVE | High | unbound-libs-1.24.2-2.el9 | | | 0.00045 | false CVE-2026-28388 | Twistlock CVE | Low | openssl-1:3.5.5-1.el9 | | | 0.00045 | false CVE-2026-28388 | Anchore CVE | Low | openssl-fips-provider-1:3.5.5-1.el9 | | | 0.00045 | false CVE-2026-28388 | Anchore CVE | Low | openssl-libs-1:3.5.5-1.el9 | | | 0.00045 | false CVE-2026-28388 | Anchore CVE | Low | openssl-1:3.5.5-1.el9 | | | 0.00045 | false CVE-2025-9403 | Twistlock CVE | Low | jq-1.6-19.el9_8.2 | | | 0.00045 | false CVE-2025-9403 | Anchore CVE | Low | jq-1.6-19.el9_8.2 | | | 0.00045 | false CVE-2026-42959 | Twistlock CVE | High | unbound-1.24.2-2.el9 | | | 0.00044 | false CVE-2026-42959 | Anchore CVE | High | unbound-libs-1.24.2-2.el9 | | | 0.00044 | false CVE-2026-28387 | Twistlock CVE | Low | openssl-1:3.5.5-1.el9 | | | 0.00044 | false CVE-2026-31790 | Twistlock CVE | Medium | openssl-1:3.5.5-1.el9 | | | 0.00042 | false CVE-2026-31790 | Anchore CVE | Medium | openssl-fips-provider-1:3.5.5-1.el9 | | | 0.00042 | false CVE-2026-31790 | Anchore CVE | Medium | openssl-libs-1:3.5.5-1.el9 | | | 0.00042 | false CVE-2026-31790 | Anchore CVE | Medium | openssl-1:3.5.5-1.el9 | | | 0.00042 | false CVE-2026-41066 | Twistlock CVE | Medium | python-lxml-4.6.5-3.el9 | | | 0.00041 | false CVE-2026-41066 | Anchore CVE | Medium | python3-lxml-4.6.5-3.el9 | | | 0.00041 | false CVE-2026-44608 | Twistlock CVE | Medium | unbound-1.24.2-2.el9 | | | 0.00040 | false CVE-2026-44608 | Anchore CVE | Medium | unbound-libs-1.24.2-2.el9 | | | 0.00040 | false CVE-2025-14524 | Twistlock CVE | Low | curl-7.76.1-41.el9 | | | 0.00040 | false CVE-2025-14524 | Anchore CVE | Low | libcurl-minimal-7.76.1-41.el9 | | | 0.00040 | false CVE-2025-14524 | Anchore CVE | Low | curl-minimal-7.76.1-41.el9 | | | 0.00040 | false CVE-2026-5545 | Twistlock CVE | Medium | curl-7.76.1-41.el9 | | | 0.00037 | false CVE-2026-5545 | Anchore CVE | Medium | curl-minimal-7.76.1-41.el9 | | | 0.00037 | false CVE-2026-5545 | Anchore CVE | Medium | libcurl-minimal-7.76.1-41.el9 | | | 0.00037 | false CVE-2024-5206 | Twistlock CVE | Medium | scikit-learn-1.4.1.post1-1 | Users need to be using TfidfVectorizer, on sensitive data, and then sharing the saved model with malicious parties to be affected. | remove the stopwords attribute before saving the model. | 0.00037 | false CVE-2026-9149 | Anchore CVE | Medium | libsolv-0.7.24-4.el9 | | | 0.00032 | false CVE-2026-9149 | Twistlock CVE | Medium | libsolv-0.7.24-4.el9 | | | 0.00032 | false CVE-2026-23490 | Twistlock CVE | High | python-pyasn1-0.4.8-7.el9_7 | | | 0.00032 | false CVE-2026-21441 | Twistlock CVE | High | python-urllib3-1.26.5-7.el9 | | | 0.00032 | false CVE-2026-6019 | Twistlock CVE | Medium | python3.9-3.9.25-7.el9_8 | | | 0.00031 | false CVE-2026-6019 | Anchore CVE | Medium | python3-libs-3.9.25-7.el9_8 | | | 0.00031 | false CVE-2026-6019 | Anchore CVE | Medium | python3-3.9.25-7.el9_8 | | | 0.00031 | false CVE-2026-6019 | Anchore CVE | Medium | python3-devel-3.9.25-7.el9_8 | | | 0.00031 | false CVE-2026-33846 | Twistlock CVE | High | gnutls-3.8.10-3.el9 | | | 0.00031 | false CVE-2026-33846 | Anchore CVE | High | gnutls-utils-3.8.10-3.el9 | | | 0.00031 | false CVE-2026-33846 | Anchore CVE | High | gnutls-dane-3.8.10-3.el9 | | | 0.00031 | false CVE-2026-33846 | Anchore CVE | High | gnutls-3.8.10-3.el9 | | | 0.00031 | false CVE-2026-6253 | Twistlock CVE | Medium | curl-7.76.1-41.el9 | | | 0.00030 | false CVE-2026-6253 | Anchore CVE | Medium | curl-minimal-7.76.1-41.el9 | | | 0.00030 | false CVE-2026-6253 | Anchore CVE | Medium | libcurl-minimal-7.76.1-41.el9 | | | 0.00030 | false CVE-2026-3805 | Twistlock CVE | Medium | curl-7.76.1-41.el9 | | | 0.00030 | false CVE-2026-3805 | Anchore CVE | Medium | curl-minimal-7.76.1-41.el9 | | | 0.00030 | false CVE-2026-3805 | Anchore CVE | Medium | libcurl-minimal-7.76.1-41.el9 | | | 0.00030 | false CVE-2026-27199 | Twistlock CVE | Medium | werkzeug-2.0.3-3.el9.1 | Hosting on Windows is uncommon. Hosting without resource limits is uncommon. | Check for Windows special device names in usersupplied paths before passing to sendfromdirectory. Apply resource limits on time in this case to the server. | 0.00027 | false CVE-2026-30922 | Twistlock CVE | High | pyasn1-0.4.8-7.el9_7 | | | 0.00026 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-mgr-rook-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | python3-rgw-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-exporter-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | librados2-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-immutable-object-cache-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-radosgw-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | libcephsqlite-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-mgr-dashboard-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | cephadm-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-base-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-osd-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-selinux-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-mgr-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-mgr-diskprediction-local-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | rbd-nbd-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-mds-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-mgr-modules-core-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | libradosstriper1-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-volume-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | python3-cephfs-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-prometheus-alerts-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | libcephfs2-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | librgw2-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-grafana-dashboards-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | python3-rados-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | python3-ceph-argparse-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | librbd1-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | cephfs-mirror-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | cephfs-top-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | rbd-mirror-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | libcephfs-daemon-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | python3-rbd-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | python3-ceph-common-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-fuse-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-mgr-cephadm-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-common-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-mgr-k8sevents-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-mon-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-2950 | Anchore CVE | Medium | ceph-node-proxy-2:20.2.1-0.el9 | | | 0.00025 | false CVE-2026-3783 | Twistlock CVE | Medium | curl-7.76.1-41.el9 | | | 0.00024 | false CVE-2026-3783 | Anchore CVE | Medium | libcurl-minimal-7.76.1-41.el9 | | | 0.00024 | false CVE-2026-3783 | Anchore CVE | Medium | curl-minimal-7.76.1-41.el9 | | | 0.00024 | false CVE-2026-1502 | Twistlock CVE | Medium | python3.9-3.9.25-7.el9_8 | | | 0.00024 | false CVE-2026-1502 | Anchore CVE | Medium | python3-devel-3.9.25-7.el9_8 | | | 0.00024 | false CVE-2026-1502 | Anchore CVE | Medium | python3-libs-3.9.25-7.el9_8 | | | 0.00024 | false CVE-2026-1502 | Anchore CVE | Medium | python3-3.9.25-7.el9_8 | | | 0.00024 | false CVE-2026-3784 | Twistlock CVE | Medium | curl-7.76.1-41.el9 | | | 0.00023 | false CVE-2026-3784 | Anchore CVE | Medium | libcurl-minimal-7.76.1-41.el9 | | | 0.00023 | false CVE-2026-3784 | Anchore CVE | Medium | curl-minimal-7.76.1-41.el9 | | | 0.00023 | false CVE-2026-6429 | Twistlock CVE | Medium | curl-7.76.1-41.el9 | | | 0.00021 | false CVE-2026-6429 | Anchore CVE | Medium | libcurl-minimal-7.76.1-41.el9 | | | 0.00021 | false CVE-2026-6429 | Anchore CVE | Medium | curl-minimal-7.76.1-41.el9 | | | 0.00021 | false CVE-2026-43895 | Twistlock CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00020 | false CVE-2026-43895 | Anchore CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00020 | false CVE-2026-5773 | Twistlock CVE | Medium | curl-7.76.1-41.el9 | | | 0.00019 | false CVE-2026-5773 | Anchore CVE | Medium | curl-minimal-7.76.1-41.el9 | | | 0.00019 | false CVE-2026-5773 | Anchore CVE | Medium | libcurl-minimal-7.76.1-41.el9 | | | 0.00019 | false CVE-2025-66418 | Twistlock CVE | High | python-urllib3-1.26.5-7.el9 | | | 0.00019 | false CVE-2026-5713 | Twistlock CVE | Medium | python3.9-3.9.25-7.el9_8 | | | 0.00018 | false CVE-2026-5713 | Anchore CVE | Medium | python3-3.9.25-7.el9_8 | | | 0.00018 | false CVE-2026-5713 | Anchore CVE | Medium | python3-devel-3.9.25-7.el9_8 | | | 0.00018 | false CVE-2026-5713 | Anchore CVE | Medium | python3-libs-3.9.25-7.el9_8 | | | 0.00018 | false CVE-2026-40170 | Twistlock CVE | High | samba-0:4.23.5-6.el9 | | | 0.00017 | false CVE-2026-40170 | Anchore CVE | High | samba-client-libs-0:4.23.5-6.el9 | | | 0.00017 | false CVE-2026-40170 | Anchore CVE | High | libldb-0:4.23.5-6.el9 | | | 0.00017 | false CVE-2026-40170 | Anchore CVE | High | libwbclient-0:4.23.5-6.el9 | | | 0.00017 | false CVE-2026-40170 | Anchore CVE | High | samba-common-0:4.23.5-6.el9 | | | 0.00017 | false CVE-2026-40170 | Anchore CVE | High | samba-common-libs-0:4.23.5-6.el9 | | | 0.00017 | false CVE-2026-27456 | Twistlock CVE | Medium | util-linux-2.37.4-25.el9 | | | 0.00017 | false CVE-2026-27456 | Anchore CVE | Medium | libuuid-2.37.4-25.el9 | | | 0.00017 | false CVE-2026-27456 | Anchore CVE | Medium | util-linux-2.37.4-25.el9 | | | 0.00017 | false CVE-2026-27456 | Anchore CVE | Medium | libsmartcols-2.37.4-25.el9 | | | 0.00017 | false CVE-2026-27456 | Anchore CVE | Medium | libmount-2.37.4-25.el9 | | | 0.00017 | false CVE-2026-27456 | Anchore CVE | Medium | libblkid-2.37.4-25.el9 | | | 0.00017 | false CVE-2026-27456 | Anchore CVE | Medium | libfdisk-2.37.4-25.el9 | | | 0.00017 | false CVE-2026-27456 | Anchore CVE | Medium | util-linux-core-2.37.4-25.el9 | | | 0.00017 | false CVE-2025-66471 | Twistlock CVE | High | python-urllib3-1.26.5-7.el9 | | | 0.00017 | false CVE-2026-3832 | Twistlock CVE | Low | gnutls-3.8.10-3.el9 | | | 0.00016 | false CVE-2026-3832 | Anchore CVE | Low | gnutls-dane-3.8.10-3.el9 | | | 0.00016 | false CVE-2026-3832 | Anchore CVE | Low | gnutls-3.8.10-3.el9 | | | 0.00016 | false CVE-2026-3832 | Anchore CVE | Low | gnutls-utils-3.8.10-3.el9 | | | 0.00016 | false CVE-2026-42308 | Twistlock CVE | Medium | python3.9-3.9.25-7.el9_8 | | | 0.00015 | false CVE-2026-42308 | Anchore CVE | Medium | python3-libs-3.9.25-7.el9_8 | | | 0.00015 | false CVE-2026-42308 | Anchore CVE | Medium | python3-3.9.25-7.el9_8 | | | 0.00015 | false CVE-2026-42308 | Anchore CVE | Medium | python3-devel-3.9.25-7.el9_8 | | | 0.00015 | false CVE-2026-4873 | Twistlock CVE | Medium | curl-7.76.1-41.el9 | | | 0.00014 | false CVE-2026-4873 | Anchore CVE | Medium | curl-minimal-7.76.1-41.el9 | | | 0.00014 | false CVE-2026-4873 | Anchore CVE | Medium | libcurl-minimal-7.76.1-41.el9 | | | 0.00014 | false CVE-2026-43896 | Twistlock CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00014 | false CVE-2026-43896 | Anchore CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00014 | false CVE-2026-43894 | Twistlock CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00014 | false CVE-2026-43894 | Anchore CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00014 | false CVE-2026-39956 | Twistlock CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00014 | false CVE-2026-39956 | Anchore CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00014 | false CVE-2026-27205 | Twistlock CVE | Medium | flask-1:2.0.3-1.el9.1 | Very unlikely to be using these operations on session versus or in addition to using something that does access the value and does track access correctly, such as sessionkey. | Set session.accessed True when accessing the session in the described circumstances ways. | 0.00014 | false CVE-2026-6276 | Twistlock CVE | Low | curl-7.76.1-41.el9 | | | 0.00013 | false CVE-2026-6276 | Anchore CVE | Low | libcurl-minimal-7.76.1-41.el9 | | | 0.00013 | false CVE-2026-6276 | Anchore CVE | Low | curl-minimal-7.76.1-41.el9 | | | 0.00013 | false CVE-2026-44777 | Twistlock CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00013 | false CVE-2026-44777 | Anchore CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00013 | false CVE-2026-44431 | Twistlock CVE | Medium | python-pip-21.3.1-2.el9_8 | | | 0.00013 | false CVE-2026-44431 | Anchore CVE | Medium | python3-pip-wheel-21.3.1-2.el9_8 | | | 0.00013 | false CVE-2026-42011 | Twistlock CVE | Medium | gnutls-3.8.10-3.el9 | | | 0.00013 | false CVE-2026-42011 | Anchore CVE | Medium | gnutls-dane-3.8.10-3.el9 | | | 0.00013 | false CVE-2026-42011 | Anchore CVE | Medium | gnutls-utils-3.8.10-3.el9 | | | 0.00013 | false CVE-2026-42011 | Anchore CVE | Medium | gnutls-3.8.10-3.el9 | | | 0.00013 | false CVE-2026-41257 | Twistlock CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00013 | false CVE-2026-41257 | Anchore CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00013 | false CVE-2026-41256 | Twistlock CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00013 | false CVE-2026-41256 | Anchore CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00013 | false CVE-2026-41080 | Twistlock CVE | Low | expat-2.5.0-6.el9 | | | 0.00013 | false CVE-2026-41080 | Anchore CVE | Low | expat-2.5.0-6.el9 | | | 0.00013 | false CVE-2026-40612 | Twistlock CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00013 | false CVE-2026-40612 | Anchore CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00013 | false CVE-2025-13034 | Twistlock CVE | Medium | curl-7.76.1-41.el9 | | | 0.00012 | false CVE-2025-13034 | Anchore CVE | Medium | curl-minimal-7.76.1-41.el9 | | | 0.00012 | false CVE-2025-13034 | Anchore CVE | Medium | libcurl-minimal-7.76.1-41.el9 | | | 0.00012 | false CVE-2026-6245 | Twistlock CVE | Medium | sssd-2.9.8-1.el9 | | | 0.00011 | false CVE-2026-6245 | Anchore CVE | Medium | libsss_nss_idmap-2.9.8-1.el9 | | | 0.00011 | false CVE-2026-6245 | Anchore CVE | Medium | sssd-client-2.9.8-1.el9 | | | 0.00011 | false CVE-2026-6245 | Anchore CVE | Medium | libsss_idmap-2.9.8-1.el9 | | | 0.00011 | false CVE-2026-45186 | Twistlock CVE | High | expat-2.5.0-6.el9 | | | 0.00011 | false CVE-2026-45186 | Anchore CVE | High | expat-2.5.0-6.el9 | | | 0.00011 | false CVE-2026-9150 | Anchore CVE | Medium | libsolv-0.7.24-4.el9 | | | 0.00010 | false CVE-2026-9150 | Twistlock CVE | Medium | libsolv-0.7.24-4.el9 | | | 0.00010 | false CVE-2026-4105 | Twistlock CVE | Medium | systemd-252-67.el9_8.2 | | | 0.00010 | false CVE-2026-4105 | Anchore CVE | Medium | systemd-pam-252-67.el9_8.2 | | | 0.00010 | false CVE-2026-4105 | Anchore CVE | Medium | systemd-libs-252-67.el9_8.2 | | | 0.00010 | false CVE-2026-4105 | Anchore CVE | Medium | systemd-udev-252-67.el9_8.2 | | | 0.00010 | false CVE-2026-4105 | Anchore CVE | Medium | systemd-rpm-macros-252-67.el9_8.2 | | | 0.00010 | false CVE-2026-4105 | Anchore CVE | Medium | systemd-252-67.el9_8.2 | | | 0.00010 | false CVE-2026-34933 | Twistlock CVE | Medium | avahi-0.8-24.el9 | | | 0.00009 | false CVE-2026-34933 | Anchore CVE | Medium | avahi-libs-0.8-24.el9 | | | 0.00009 | false CVE-2026-34073 | Twistlock CVE | Low | cryptography-36.0.1-5.el9 | | | 0.00009 | false CVE-2026-26007 | Twistlock CVE | High | cryptography-36.0.1-5.el9 | | | 0.00009 | false CVE-2023-51767 | Anchore CVE | Medium | openssh-clients-9.9p1-7.el9_8 | | | 0.00007 | false CVE-2026-5745 | Twistlock CVE | Medium | libarchive-3.5.3-9.el9_7 | | | 0.00006 | false CVE-2026-5745 | Anchore CVE | Medium | libarchive-3.5.3-9.el9_7 | | | 0.00006 | false CVE-2026-32778 | Twistlock CVE | Medium | expat-2.5.0-6.el9 | | | 0.00006 | false CVE-2026-32778 | Anchore CVE | Medium | expat-2.5.0-6.el9 | | | 0.00006 | false CVE-2026-32777 | Twistlock CVE | Medium | expat-2.5.0-6.el9 | | | 0.00006 | false CVE-2026-32777 | Anchore CVE | Medium | expat-2.5.0-6.el9 | | | 0.00006 | false CVE-2026-32776 | Twistlock CVE | Medium | expat-2.5.0-6.el9 | | | 0.00006 | false CVE-2026-32776 | Anchore CVE | Medium | expat-2.5.0-6.el9 | | | 0.00006 | false CVE-2026-24515 | Twistlock CVE | Low | expat-2.5.0-6.el9 | | | 0.00006 | false CVE-2026-24515 | Anchore CVE | Low | expat-2.5.0-6.el9 | | | 0.00006 | false CVE-2026-33947 | Twistlock CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00005 | false CVE-2026-33947 | Anchore CVE | Medium | jq-1.6-19.el9_8.2 | | | 0.00005 | false CVE-2026-25645 | Twistlock CVE | Medium | requests-2.25.1-10.el9_6 | | | 0.00004 | false CVE-2026-25645 | Twistlock CVE | Medium | python-pip-21.3.1-2.el9_8 | | | 0.00004 | false CVE-2026-25645 | Anchore CVE | Medium | python3-pip-wheel-21.3.1-2.el9_8 | | | 0.00004 | false CVE-2025-14017 | Twistlock CVE | Medium | curl-7.76.1-41.el9 | | | 0.00004 | false CVE-2025-14017 | Anchore CVE | Medium | libcurl-minimal-7.76.1-41.el9 | | | 0.00004 | false CVE-2025-14017 | Anchore CVE | Medium | curl-minimal-7.76.1-41.el9 | | | 0.00004 | false CVE-2026-45409 | Twistlock CVE | Medium | idna-2.10-7.el9_4.1 | | | N/A | false f6257dbd2bfddd731b175c3e6b553ceb | Anchore Compliance | Critical | | | | N/A | N/A d01cfaa95bf3b34e60c558bfafa7d826 | Anchore Compliance | Critical | | | | N/A | N/A PRISMA-2023-0035 | Twistlock CVE | High | werkzeug-2.0.3-3.el9.1 | | | N/A | N/A PRISMA-2021-0041 | Twistlock CVE | High | oauthlib-3.1.1-5.el9 | | | N/A | N/A GHSA-v8gr-m533-ghj9 | Twistlock CVE | Low | cryptography-36.0.1-5.el9 | | | N/A | N/A GHSA-jm77-qphf-c4w8 | Twistlock CVE | Low | cryptography-36.0.1-5.el9 | | | N/A | N/A GHSA-hfmc-7525-mj55 | Twistlock CVE | Medium | asyncssh-2.13.2-5.el9 | | | N/A | N/A GHSA-5cpq-8wj7-hf2v | Twistlock CVE | Low | cryptography-36.0.1-5.el9 | | | N/A | N/A More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=opensource/ceph/ceph&tag=v20.2.1-arm64&branch=master ### Novel Tidelift Findings (Experimental) opensource/ceph/ceph (arm64) has 28 novel Tidelift findings discovered during continuous monitoring. **_NOTE:_** This table is for Iron Bank evaluation and testing purposes. No action required by vendors. id | cvss score | package | impact | workaround | epss_score | kev -- | ---------- | ------- | ------ | ---------- | ---------- | --- CVE-2022-29361 | 9.8 | Werkzeug-2.0.3 | | | 0.31113 | false CVE-2024-39689 | 7.5 | certifi-2023.5.7 | | | 0.25805 | false CVE-2024-6345 | 8.8 | setuptools-69.2.0 | Most users have migrated off of the code paths that are affected. The affected code paths are actively deprecated and planned for turn down. Only specialized and legacy workflows are affected. | Use recommended installers pip, uv, build, system package managers to install all packages from trusted indexes. If working with untrusted content in private indexes, consider scanning for malicious code in the package index pages. | 0.07521 | false CVE-2023-32681 | 6.1 | requests-2.25.1 | Requires that deployment or integration of requests is being used to a connect to untrusted hosts b is connecting over HTTPS and c is using proxies to do so. | | 0.06086 | false CVE-2024-49766 | 6.3 | Werkzeug-2.0.3 | Assuming the other conditions listed are met, this is exploitable. | | 0.01392 | false CVE-2022-2309 | 7.5 | lxml-4.6.5 | Requires processing specially forged content.Requires vulnerable code sequence on user side. | | 0.01251 | false CVE-2023-38325 | 7.5 | cryptography-36.0.1 | | | 0.01168 | false CVE-2023-50782 | 7.5 | cryptography-36.0.1 | | | 0.00855 | false CVE-2025-56005 | | ply-3.11 | | | 0.00846 | false CVE-2025-47273 | 7.7 | setuptools-69.2.0 | Most users have pip and do not access the deprecated PackageIndex code path. | Ensure pip is installed and Setuptools will use that instead. | 0.00487 | false CVE-2024-34997 | 7.5 | joblib-1.4.2 | | | 0.00378 | false CVE-2023-23934 | 3.5 | Werkzeug-2.0.3 | If the conditions above are met and exploited. | Avoid hosting next to untrusted subdomains, and avoid XSS vulnerabilities. | 0.00267 | false CVE-2024-47081 | 5.3 | requests-2.25.1 | | | 0.00227 | false CVE-2023-30861 | 7.5 | Flask-2.0.3 | Only when using permanent session cookies with a misconfigured caching proxy, as described above. | Add the Vary cookie header using afterrequest, WSGI middleware, or HTTP server config. | 0.00185 | false CVE-2022-1941 | 7.5 | protobuf-3.14.0 | | | 0.00171 | false CVE-2021-22570 | 7.5 | protobuf-3.14.0 | | | 0.00150 | false CVE-2023-37920 | 9.8 | certifi-2023.5.7 | Many uses of Certifi use systemprovided CA certs. | | 0.00119 | false CVE-2025-9375 | 6.9 | xmltodict-0.12.0 | | | 0.00117 | false CVE-2024-37388 | 9.1 | lxml-4.6.5 | A lot of XML processing is either in or out, not passthrough.The issue has been resolved in lxml 5.x. | Disable entity resolution in the parser with resolveentitiesFalse. | 0.00090 | false CVE-2025-50181 | 5.3 | urllib3-1.26.5 | Most users dont disable redirects on the PoolManager. | Set redirectsFalseredirects0 on the .request call instead of on the toplevel urllib3.PoolManager | 0.00087 | false CVE-2025-50182 | 5.3 | urllib3-1.26.5 | Pyodide is extremely rare configuration for users in production. | | 0.00073 | false CVE-2023-45803 | 4.2 | urllib3-1.26.5 | No exploits from real world were reported | Disable redirects for services that you arent expecting to respond with redirects with redirectsFalse.Disable automatic redirects with redirectsFalse and handle 303 redirects manually by stripping the HTTP request body. | 0.00056 | false CVE-2026-27448 | 1.7 | pyOpenSSL-21.0.0 | | | 0.00043 | false CVE-2026-21860 | 6.3 | Werkzeug-2.0.3 | Hosting on Windows is uncommon. | Check for Windows special device names in usersupplied paths before passing to sendfromdirectory. | 0.00034 | false CVE-2025-66221 | 6.3 | Werkzeug-2.0.3 | Hosting on Windows is uncommon. | Check for Windows special device names in usersupplied paths before passing to sendfromdirectory. | 0.00032 | false CVE-2026-7246 | | click-8.0.3 | | | 0.00030 | false CVE-2026-27205 | 2.3 | Flask-2.0.3 | Very unlikely to be using these operations on session versus or in addition to using something that does access the value and does track access correctly, such as sessionkey. | Set session.accessed True when accessing the session in the described circumstances ways. | 0.00014 | false CVE-2026-44431 | 5.3 | urllib3-1.26.5 | Most users wont use those lowlevel APIs, especially if they arent using urllib3 directly but instead use it through requests, boto3, etc. | If upgrading is not immediately possible, avoid using this lowlevel redirect flow for crossorigin redirects. If appropriate for your use case, switch to ProxyManager.request. | 0.00013 | false ## Tasks Contributor: - [ ] Apply the ~"Status::Review" label to this issue for a `merge request review` and wait for feedback OR - [ ] Provide justifications for findings in the [VAT](https://vat.dso.mil) ([docs](https://docs-ironbank.dso.mil/hardening/justifications/)) - [ ] Apply the ~"Status::Verification" label to this issue for a `VAT justifications review` and wait for feedback Iron Bank: - [ ] Review findings and justifications > Note: If the above process is rejected for any reason, the `Review` or `Verification` label will be removed and the issue will be sent back to `To-Do`. Any comments will be listed in this issue for you to address. Once they have been addressed, you **must** re-add the `Review` or `Verification` label. ## Questions? Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add `/cc @ironbank-notifications/onboarding`. Additionally, Iron Bank hosts an [AMA](https://www.zoomgov.com/meeting/register/vJIsdemoqTMpGpm-2c6xjdAm0MLD6vuvu5I) working session every Wednesday from 1630-1730EST to answer questions.

issue