chore(findings): opensource/datahub/datahub-upgrade (#38) · Issues · Iron Bank Containers / Opensource / Datahub / datahub-upgrade

chore(findings): opensource/datahub/datahub-upgrade

## Summary opensource/datahub/datahub-upgrade has 71 new findings discovered during continuous monitoring. More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=opensource/datahub/datahub-upgrade&tag=1.5.0-oss&branch=master EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild. KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA. id | source | severity | package | impact | workaround | epss_score | kev -- | ------ | -------- | ------- | ------ | ---------- | ---------- | --- CVE-2023-28115 | Twistlock CVE | Critical | snappy-1.2.2-r0 | | | 0.11387 | false CVE-2023-41330 | Twistlock CVE | Critical | snappy-1.2.2-r0 | | | 0.01189 | false CVE-2024-43126 | Anchore CVE | High | opentelemetry-exporter-sender-okhttp-1.60.1 | | | 0.00414 | false CVE-2025-67030 | Twistlock CVE | High | org.codehaus.plexus_plexus-utils-3.2.1 | | | 0.00247 | false CVE-2026-34478 | Anchore CVE | Medium | log4j-jul-2.25.3 | | | 0.00191 | false CVE-2026-34478 | Anchore CVE | Medium | log4j-jul-2.25.3 | | | 0.00191 | false CVE-2026-34478 | Anchore CVE | Medium | log4j-api-2.25.3 | | | 0.00191 | false CVE-2026-34478 | Anchore CVE | Medium | log4j-api-2.25.3 | | | 0.00191 | false CVE-2026-34478 | Twistlock CVE | Medium | org.apache.logging.log4j_log4j-core-2.25.3 | | | 0.00191 | false CVE-2026-34480 | Twistlock CVE | Medium | org.apache.logging.log4j_log4j-core-2.25.3 | | | 0.00157 | false CVE-2026-34480 | Anchore CVE | Medium | log4j-api-2.25.3 | | | 0.00157 | false CVE-2026-34480 | Anchore CVE | Medium | log4j-jul-2.25.3 | | | 0.00157 | false CVE-2026-34480 | Anchore CVE | Medium | log4j-api-2.25.3 | | | 0.00157 | false CVE-2026-34480 | Anchore CVE | Medium | log4j-jul-2.25.3 | | | 0.00157 | false CVE-2026-34477 | Anchore CVE | Medium | log4j-api-2.25.3 | | | 0.00143 | false CVE-2026-34477 | Anchore CVE | Medium | log4j-jul-2.25.3 | | | 0.00143 | false CVE-2026-34477 | Anchore CVE | Medium | log4j-api-2.25.3 | | | 0.00143 | false CVE-2026-34477 | Anchore CVE | Medium | log4j-jul-2.25.3 | | | 0.00143 | false CVE-2026-34477 | Twistlock CVE | Medium | org.apache.logging.log4j_log4j-core-2.25.3 | | | 0.00143 | false CVE-2026-33871 | Anchore CVE | High | reactor-netty-http-1.2.13 | | | 0.00081 | false CVE-2026-33871 | Anchore CVE | High | reactor-netty-core-1.2.13 | | | 0.00081 | false CVE-2026-33871 | Anchore CVE | High | grpc-netty-shaded-1.80.0 | | | 0.00081 | false CVE-2023-2976 | Twistlock CVE | High | com.google.guava_guava-30.1.1-jre | | | 0.00065 | false CVE-2025-27821 | Anchore CVE | High | hadoop-common-3.3.6 | | | 0.00047 | false CVE-2025-27821 | Anchore CVE | High | hadoop-mapreduce-client-core-3.3.6 | | | 0.00047 | false CVE-2025-27821 | Anchore CVE | High | hadoop-yarn-api-3.3.6 | | | 0.00047 | false CVE-2025-27821 | Anchore CVE | High | hadoop-mapreduce-client-jobclient-3.3.6 | | | 0.00047 | false CVE-2025-27821 | Anchore CVE | High | hadoop-annotations-3.3.6 | | | 0.00047 | false CVE-2025-27821 | Anchore CVE | High | hadoop-auth-3.3.6 | | | 0.00047 | false CVE-2025-27821 | Anchore CVE | High | hadoop-mapreduce-client-common-3.3.6 | | | 0.00047 | false CVE-2025-27821 | Anchore CVE | High | hadoop-hdfs-client-3.3.6 | | | 0.00047 | false CVE-2025-27821 | Anchore CVE | High | hadoop-yarn-client-3.3.6 | | | 0.00047 | false CVE-2025-27821 | Anchore CVE | High | hadoop-client-3.3.6 | | | 0.00047 | false CVE-2025-27821 | Anchore CVE | High | hadoop-yarn-common-3.3.6 | | | 0.00047 | false CVE-2026-33870 | Anchore CVE | High | reactor-netty-http-1.2.13 | | | 0.00040 | false CVE-2026-33870 | Anchore CVE | High | reactor-netty-core-1.2.13 | | | 0.00040 | false CVE-2026-33870 | Anchore CVE | High | grpc-netty-shaded-1.80.0 | | | 0.00040 | false CVE-2026-25679 | Twistlock CVE | Low | net/url-1.24.13 | | | 0.00033 | false CVE-2026-25679 | Anchore CVE | High | stdlib-go1.24.13 | | | 0.00033 | false CVE-2026-3805 | Twistlock CVE | High | curl-8.17.0-r1 | | | 0.00021 | false CVE-2026-3805 | Anchore CVE | High | curl-8.17.0-r1 | | | 0.00021 | false CVE-2026-32281 | Twistlock CVE | High | crypto/x509-1.24.13 | | | 0.00018 | false CVE-2026-32281 | Anchore CVE | High | stdlib-go1.24.13 | | | 0.00018 | false CVE-2026-27143 | Anchore CVE | Critical | stdlib-go1.24.13 | | | 0.00018 | false CVE-2026-27135 | Twistlock CVE | Low | nghttp2-1.68.0-r0 | | | 0.00018 | false CVE-2026-27135 | Anchore CVE | High | nghttp2-libs-1.68.0-r0 | | | 0.00018 | false CVE-2025-7962 | Twistlock CVE | Medium | com.sun.mail_jakarta.mail-1.6.7 | | | 0.00018 | false CVE-2026-32280 | Twistlock CVE | High | crypto/x509-1.24.13 | | | 0.00017 | false CVE-2026-32280 | Anchore CVE | High | stdlib-go1.24.13 | | | 0.00017 | false CVE-2026-32283 | Twistlock CVE | High | crypto/tls-1.24.13 | | | 0.00015 | false CVE-2026-32283 | Anchore CVE | High | stdlib-go1.24.13 | | | 0.00015 | false CVE-2026-35469 | Twistlock CVE | High | github.com/moby/spdystream-v0.5.0 | | | 0.00014 | false CVE-2026-27140 | Anchore CVE | High | stdlib-go1.24.13 | | | 0.00014 | false CVE-2026-0994 | Anchore CVE | High | protobuf-java-4.32.0 | | | 0.00013 | false CVE-2026-0994 | Anchore CVE | High | protobuf-java-util-3.25.5 | | | 0.00013 | false CVE-2026-32289 | Anchore CVE | Medium | stdlib-go1.24.13 | | | 0.00010 | false CVE-2026-32282 | Anchore CVE | Medium | stdlib-go1.24.13 | | | 0.00008 | false CVE-2026-27144 | Anchore CVE | High | stdlib-go1.24.13 | | | 0.00006 | false CVE-2026-32288 | Twistlock CVE | Medium | archive/tar-1.24.13 | | | 0.00004 | false CVE-2026-32288 | Anchore CVE | Medium | stdlib-go1.24.13 | | | 0.00004 | false GHSA-pc3f-x583-g7j2 | Anchore CVE | High | github.com/moby/spdystream-v0.5.0 | | | N/A | N/A GHSA-9342-92gg-6v29 | Anchore CVE | Medium | jakarta.mail-1.6.7 | | | N/A | N/A GHSA-9342-92gg-6v29 | Anchore CVE | Medium | jakarta.mail-1.6.7 | | | N/A | N/A GHSA-6hg6-v5c8-fphq | Anchore CVE | Medium | log4j-core-2.25.3 | | | N/A | N/A GHSA-6hg6-v5c8-fphq | Anchore CVE | Medium | log4j-core-2.25.3 | | | N/A | N/A GHSA-6fmv-xxpf-w3cw | Anchore CVE | High | plexus-utils-3.2.1 | | | N/A | N/A GHSA-6fmv-xxpf-w3cw | Anchore CVE | High | plexus-utils-3.2.1 | | | N/A | N/A GHSA-445c-vh5m-36rj | Anchore CVE | Medium | log4j-core-2.25.3 | | | N/A | N/A GHSA-445c-vh5m-36rj | Anchore CVE | Medium | log4j-core-2.25.3 | | | N/A | N/A GHSA-3pxv-7cmr-fjr4 | Anchore CVE | Medium | log4j-core-2.25.3 | | | N/A | N/A GHSA-3pxv-7cmr-fjr4 | Anchore CVE | Medium | log4j-core-2.25.3 | | | N/A | N/A More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=opensource/datahub/datahub-upgrade&tag=1.5.0-oss&branch=master ## Tasks Contributor: - [ ] Apply the ~"Status::Review" label to this issue for a `merge request review` and wait for feedback OR - [ ] Provide justifications for findings in the [VAT](https://vat.dso.mil) ([docs](https://docs-ironbank.dso.mil/hardening/justifications/)) - [ ] Apply the ~"Status::Verification" label to this issue for a `VAT justifications review` and wait for feedback Iron Bank: - [ ] Review findings and justifications > Note: If the above process is rejected for any reason, the `Review` or `Verification` label will be removed and the issue will be sent back to `To-Do`. Any comments will be listed in this issue for you to address. Once they have been addressed, you **must** re-add the `Review` or `Verification` label. ## Questions? Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add `/cc @ironbank-notifications/onboarding`. Additionally, Iron Bank hosts an [AMA](https://www.zoomgov.com/meeting/register/vJIsdemoqTMpGpm-2c6xjdAm0MLD6vuvu5I) working session every Wednesday from 1630-1730EST to answer questions.

issue