[0KRunning with gitlab-runner 13.8.0 (775dd39d)
[0;m[0K  on dsop-shared-gitlab-runner-f887cbcbd-srgz6 E82_g8RG
[0;msection_start:1629986723:resolve_secrets[0K[0K[36;1mResolving secrets[0;m
[0;msection_end:1629986723:resolve_secrets[0Ksection_start:1629986723:prepare_executor[0K[0K[36;1mPreparing the "kubernetes" executor[0;m
[0;m[0K"ServiceAccount" overwritten with "vat"
[0;m[0KUsing Kubernetes namespace: gitlab-runner-ironbank-dsop
[0;m[0;33mWARNING: Pulling GitLab Runner helper image from Docker Hub. Helper image is migrating to registry.gitlab.com, for more information see https://docs.gitlab.com/runner/configuration/advanced-configuration.html#migrating-helper-image-to-registrygitlabcom
[0;m[0KUsing Kubernetes executor with image registry1.dso.mil/ironbank/ironbank-pipelines/pipeline-runner:0.3 ...
[0;msection_end:1629986723:prepare_executor[0Ksection_start:1629986723:prepare_script[0K[0K[36;1mPreparing environment[0;m
[0;mWaiting for pod gitlab-runner-ironbank-dsop/runner-e82g8rg-project-1225-concurrent-0bqcr2 to be running, status is Pending
Waiting for pod gitlab-runner-ironbank-dsop/runner-e82g8rg-project-1225-concurrent-0bqcr2 to be running, status is Pending
	ContainersNotInitialized: "containers with incomplete status: [istio-init]"
	ContainersNotReady: "containers with unready status: [build helper istio-proxy]"
	ContainersNotReady: "containers with unready status: [build helper istio-proxy]"
Waiting for pod gitlab-runner-ironbank-dsop/runner-e82g8rg-project-1225-concurrent-0bqcr2 to be running, status is Pending
	ContainersNotReady: "containers with unready status: [build helper istio-proxy]"
	ContainersNotReady: "containers with unready status: [build helper istio-proxy]"
Running on runner-e82g8rg-project-1225-concurrent-0bqcr2 via dsop-shared-gitlab-runner-f887cbcbd-srgz6...
section_end:1629986733:prepare_script[0Ksection_start:1629986733:get_sources[0K[0K[36;1mGetting source from Git repository[0;m
[0;m[32;1m$ until [ $(curl --fail --silent --output /dev/stderr --write-out "%{http_code}" localhost:15020/healthz/ready) -eq 200 ]; do echo Waiting for Sidecar; sleep 3 ; done ; echo Sidecar available;[0;m
Sidecar available
[32;1mFetching changes with git depth set to 50...[0;m
Initialized empty Git repository in /builds/dsop/opensource/goharbor/harbor-portal/.git/
[32;1mCreated fresh repository.[0;m
[32;1mChecking out bd6d3865 as development...[0;m
Skipping object checkout, Git LFS is not installed.

[32;1mSkipping Git submodules setup[0;m
section_end:1629986733:get_sources[0Ksection_start:1629986733:download_artifacts[0K[0K[36;1mDownloading artifacts[0;m
[0;m[32;1mDownloading artifacts for anchore-scan (5963400)...[0;m
Downloading artifacts from coordinator... ok      [0;m  id[0;m=5963400 responseStatus[0;m=200 OK token[0;m=aNfRZsok
[0;33mWARNING: ci-artifacts/scan-results/anchore/: lchown ci-artifacts/scan-results/anchore/: operation not permitted (suppressing repeats)[0;m 
[32;1mDownloading artifacts for build (5963398)...[0;m
[32;1mDownloading artifacts for hardening-manifest (5963394)...[0;m
Downloading artifacts from coordinator... ok      [0;m  id[0;m=5963398 responseStatus[0;m=200 OK token[0;m=yxNMK-62
[0;33mWARNING: ci-artifacts/build/: lchown ci-artifacts/build/: operation not permitted (suppressing repeats)[0;m 
Downloading artifacts from coordinator... ok      [0;m  id[0;m=5963394 responseStatus[0;m=200 OK token[0;m=zmDBExTq
[0;33mWARNING: ci-artifacts/preflight/: lchown ci-artifacts/preflight/: operation not permitted (suppressing repeats)[0;m 
[32;1mDownloading artifacts for load-scripts (5963391)...[0;m
Downloading artifacts from coordinator... ok      [0;m  id[0;m=5963391 responseStatus[0;m=200 OK token[0;m=9mSQ4iy4
[0;33mWARNING: ci-artifacts/[MASKED]/: lchown ci-artifacts/[MASKED]/: operation not permitted (suppressing repeats)[0;m 
[32;1mDownloading artifacts for openscap-compliance (5963401)...[0;m
Downloading artifacts from coordinator... ok      [0;m  id[0;m=5963401 responseStatus[0;m=200 OK token[0;m=VmJiLcwK
[0;33mWARNING: ci-artifacts/scan-results/openscap/: lchown ci-artifacts/scan-results/openscap/: operation not permitted (suppressing repeats)[0;m 
[32;1mDownloading artifacts for twistlock-scan (5963402)...[0;m
Downloading artifacts from coordinator... ok      [0;m  id[0;m=5963402 responseStatus[0;m=200 OK token[0;m=T8DHUato
[0;33mWARNING: ci-artifacts/scan-results/twistlock/: lchown ci-artifacts/scan-results/twistlock/: operation not permitted (suppressing repeats)[0;m 
[32;1mDownloading artifacts for wl-compare-lint (5963395)...[0;m
Downloading artifacts from coordinator... ok      [0;m  id[0;m=5963395 responseStatus[0;m=200 OK token[0;m=iSM1Zbxd
[0;33mWARNING: ci-artifacts/lint/: lchown ci-artifacts/lint/: operation not permitted (suppressing repeats)[0;m 
section_end:1629986735:download_artifacts[0Ksection_start:1629986735:step_script[0K[0K[36;1mExecuting "step_script" stage of the job script[0;m
[0;m[32;1m$ "${PIPELINE_REPO_DIR}/stages/vat/vat-run-api.sh"[0;m
INFO: Log level set to info
INFO: Gathering list of all justifications...
INFO: API Response:
{"imageName":"opensource/goharbor/harbor-portal","imageTag":"v2.3.2","accreditation":"Approved","containerState":"Approved","approver":{"date":"2021-08-26T09:06:29.147Z","comment":"Auto Approval derived from previous version opensource/goharbor/harbor-portal:v2.3.0","user":{"name":"VAT_Bot","email":"VAT_Bot@no_reply.com","role":"container_approver"}},"findings":[{"identifier":"320a97c6816565eedf3545833df99dd0","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/su. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for su functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"3456a263793066e9b5063ada6e47917d","source":"anchore_comp","description":"SUID or SGID found set on file /usr/libexec/dbus-1/dbus-daemon-launch-helper. Mode: 0o104750\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for dbus-daemon-launch-helper functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"34de21e516c0ca50a96e5386f163f8bf","source":"anchore_comp","description":"SUID or SGID found set on file /usr/sbin/unix_chkpwd. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for unix_chkpwd functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"3e5fad1c039f3ecfd1dcdc94d2f1f9a0","source":"anchore_comp","description":"SUID or SGID found set on file /usr/libexec/utempter/utempter. Mode: 0o102711\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for utempter functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"463a9a24225c26f7a5bf3f38908e5cb3","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/newgrp. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for newgrp functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"639f6f1177735759703e928c14714a59","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/chage. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for chage functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"698044205a9c4a6d48b7937e66a6bf4f","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/mount. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for mount functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"abb121e9621abdd452f65844954cf1c1","source":"anchore_comp","description":"SUID or SGID found set on file /usr/sbin/pam_timestamp_check. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for pam_timestamp_check functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"addbb93c22e9b0988b8b40392a4538cb","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/write. Mode: 0o102755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for write functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"bcd159901fe47efddae5c095b4b0d7fd","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/passwd. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for passwd functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"c2e44319ae5b3b040044d8ae116d1c2f","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/gpasswd. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for gpasswd functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"c4ad80832b361f81df2a31e5b6b09864","source":"anchore_comp","description":"SUID or SGID found set on file /usr/sbin/userhelper. Mode: 0o104711\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for userhelper functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-80935-0","source":"oscap_comp","description":"Configure System Cryptography Policy","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. FIPS enablement requires the host node to have FIPS enabled at the kernel level which is inherited into the container.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-80938-4","source":"oscap_comp","description":"Configure OpenSSL library to use System Crypto Policy","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Manual check. /etc/pki/tls/openssl.cnf contains: [ crypto_policy ] .include /etc/crypto-policies/back-ends/openssl.config .include /etc/crypto-policies/back-ends/opensslcnf.config","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82168-6","source":"oscap_comp","description":"Log USBGuard daemon audit events using Linux Audit","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. USB device notifications do not apply to containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82214-8","source":"oscap_comp","description":"Install sudo Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2021-01-27T17:54:16.000Z","justification":"Sudo is not installed by default since most images are unprivileged and do not require any super user permissions. Removing the package removes the risk of any privilege escalation exploits within sudo.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-01-27T17:57:21.000Z","comment":"This finding is approved.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82220-5","source":"oscap_comp","description":"Install openscap-scanner Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository. SCAP scanning occurs during the build pipeline.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82267-6","source":"oscap_comp","description":"Configure dnf-automatic to Install Only Security Updates","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This performs automatic updates to installed packages which does not apply to immutable containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82360-9","source":"oscap_comp","description":"Enable dnf-automatic Timer","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This performs automatic updates to installed packages which does not apply to immutable containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82368-2","source":"oscap_comp","description":"Authorize Human Interface Devices and USB hubs in USBGuard daemon","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. USB device notifications do not apply to containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82395-5","source":"oscap_comp","description":"Ensure gnutls-utils is installed","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-13T21:13:21.000Z","justification":"Package not available in UBI repos. This package only contains command line TLS client and server and certificate manipulation tools.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2020-11-13T21:16:30.000Z","comment":"This finding is approved.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82472-2","source":"oscap_comp","description":"Set Existing Passwords Minimum Age","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Manual check. No users other than root exist.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82473-0","source":"oscap_comp","description":"Set Existing Passwords Maximum Age","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Manual check. No users other than root exist.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82474-8","source":"oscap_comp","description":"Assign Expiration Date to Temporary Accounts","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. No temporary accounts exist.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82494-6","source":"oscap_comp","description":"Configure dnf-automatic to Install Available Updates Automatically","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This performs automatic updates to installed packages which does not apply to immutable containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82880-6","source":"oscap_comp","description":"Configure session renegotiation for SSH client","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-02-03T18:36:51.000Z","justification":"Not applicable. openssh-clients is not installed in the base image by default.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-02-03T18:37:31.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-02-03T20:13:01.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82949-9","source":"oscap_comp","description":"Install scap-security-guide Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository. SCAP scanning occurs during the build pipeline.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82959-8","source":"oscap_comp","description":"Install usbguard Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository. USB device notifications do not apply to containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82979-6","source":"oscap_comp","description":"Install libcap-ng-utils Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-82985-3","source":"oscap_comp","description":"Install dnf-automatic Package","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Not applicable. This package is not available using UBI repositories and would require a licensed RHEL repository. Package performs automatic updates to installed packages which does not apply to immutable containers.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CCE-83401-0","source":"oscap_comp","description":"Enforce pam_faillock for Local Accounts Only","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-02-03T18:36:51.000Z","justification":"False positive. local_users_only is set in /etc/security/faillock.conf ","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-02-03T18:37:31.000Z","comment":"This finding was reviewed.","designator":"False Positive","falsePositive":true,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-02-03T20:13:02.000Z","comment":"This finding is approved.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2019-20838","source":"anchore_cve","description":"libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\X or \\R has more than one fixed quantifier, a related issue to CVE-2019-20454.","package":"pcre-8.42-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched on 9/21/2018. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:02.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2019-20838","source":"twistlock_cve","description":"libpcre in PCRE before 8.43 allows a subject buffer over-read in JIT when UTF is disabled, and \\\\X or \\\\R has more than one fixed quantifier, a related issue to CVE-2019-20454.","package":"pcre-8.42-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:28.000Z","justification":"Upstream patched on 9/21/2018. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2020-14155","source":"anchore_cve","description":"libpcre in PCRE before 8.44 allows an integer overflow via a large number after a (?C substring.","package":"pcre-8.42-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 8.44 on 2/10/2020. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:02.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2020-14155","source":"twistlock_cve","description":"libpcre in PCRE before 8.44 allows an integer overflow via a large number after a ","package":"pcre-8.42-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 8.44 on 2/10/2020. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2020-16135","source":"anchore_cve","description":"libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.","package":"libssh-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Upstream has a patch but not released yet in June 2020. RH has no patch.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-16135","source":"twistlock_cve","description":"libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.","package":"libssh-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T15:13:07.000Z","justification":"Upstream has a patch but not released yet in June 2020. RH has no patch.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T15:13:50.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T15:25:13.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2020-16135","source":"anchore_cve","description":"libssh 0.9.4 has a NULL pointer dereference in tftpserver.c if ssh_buffer_new returns NULL.","package":"libssh-config-0.9.4-2.el8","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Upstream has a patch but not released yet in June 2020. RH has no patch.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2020-24370","source":"anchore_cve","description":"ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31).","package":"lua-libs-5.3.4-11.el8","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:27.000Z","justification":"Published 2020-07-23. Fix available upstream in lua master branch 2020-07-27. Red Hat has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:27.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}},{"identifier":"CVE-2021-20231","source":"anchore_cve","description":"A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.","package":"gnutls-3.6.14-8.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 3.7.1 on 1/29/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20231","source":"twistlock_cve","description":"A flaw was found in gnutls. A use after free issue in client sending key_share extension may lead to memory corruption and other consequences.","package":"gnutls-3.6.14-8.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 3.7.1 on 1/29/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20232","source":"anchore_cve","description":"A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.","package":"gnutls-3.6.14-8.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 3.7.1 on 1/29/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20232","source":"twistlock_cve","description":"A flaw was found in gnutls. A use after free issue in client_send_params in lib/ext/pre_shared_key.c may lead to memory corruption and other potential consequences.","package":"gnutls-3.6.14-8.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-04-19T15:31:29.000Z","justification":"Upstream patched in version 3.7.1 on 1/29/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-04-19T15:32:49.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-04-19T15:34:01.000Z","comment":"This finding is approved.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"anchore_cve","description":"A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"anchore_cve","description":"A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"twistlock_cve","description":"A flaw was found in RPM\\'s hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"anchore_cve","description":"A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-20266","source":"anchore_cve","description":"A flaw was found in RPM's hdrblobInit() in lib/header.c. This flaw allows an attacker who can modify the rpmdb to cause an out-of-bounds read. The highest threat from this vulnerability is to system availability.","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22876","source":"anchore_cve","description":"curl 7.1.1 to and including 7.75.0 is vulnerable to an \"Exposure of Private Personal Information to an Unauthorized Actor\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream patched in version 7.76.0 on 3/28/2021. Redhat has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22876","source":"twistlock_cve","description":"curl 7.1.1 to and including 7.75.0 is vulnerable to an \\\"Exposure of Private Personal Information to an Unauthorized Actor\\\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream patched in version 7.76.0 on 3/28/2021. Redhat has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:16.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22876","source":"anchore_cve","description":"curl 7.1.1 to and including 7.75.0 is vulnerable to an \"Exposure of Private Personal Information to an Unauthorized Actor\" by leaking credentials in the HTTP Referer: header. libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream patched in version 7.76.0 on 3/28/2021. Redhat has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22898","source":"anchore_cve","description":"curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-11T13:30:57.000Z","justification":"True positive. Patched upstream in version 7.77.0 on 5/26/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-11T13:31:32.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T13:32:17.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22898","source":"twistlock_cve","description":"curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-22T21:11:58.000Z","justification":"True positive. Patched upstream in version 7.77.0 on 5/26/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-22T21:14:01.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-22T21:14:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22898","source":"anchore_cve","description":"curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized data from a stack based buffer to the server, resulting in potentially revealing sensitive internal information to the server using a clear-text network protocol.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-11T13:30:57.000Z","justification":"True positive. Patched upstream in version 7.77.0 on 5/26/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-11T13:31:32.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-11T13:32:17.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22922","source":"anchore_cve","description":"When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22922","source":"twistlock_cve","description":"When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-06T03:48:05.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-06T13:28:55.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-06T13:31:49.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22922","source":"anchore_cve","description":"When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22923","source":"anchore_cve","description":"When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22923","source":"twistlock_cve","description":"When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user\\'s expectations and intentions and without telling the user it happened.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-06T03:48:05.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-06T13:28:55.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-06T13:31:49.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22923","source":"anchore_cve","description":"When curl is instructed to get content using the metalink feature, and a user name and password are used to download the metalink XML file, those same credentials are then subsequently passed on to each of the servers from which curl will download or try to download the contents from. Often contrary to the user's expectations and intentions and without telling the user it happened.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22924","source":"anchore_cve","description":"libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22924","source":"twistlock_cve","description":"libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take \\'issuercert\\' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn\\'t include the \\'issuer cert\\' which a transfer can setto qualify how to verify the server certificate.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-06T03:48:05.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-06T13:28:55.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-06T13:31:49.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22924","source":"anchore_cve","description":"libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert' into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can setto qualify how to verify the server certificate.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Patched upstream in version 7.78.0 on 7/21/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22925","source":"anchore_cve","description":"curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:58.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22925","source":"twistlock_cve","description":"curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.","package":"curl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-16T21:12:09.000Z","justification":"Patched upstream in version 7.77.0 on 5/26/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-16T21:12:09.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-16T21:16:24.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-22925","source":"anchore_cve","description":"curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing the string provided by the application.","package":"libcurl-7.61.1-18.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-22T13:54:24.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-22T13:55:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-22T13:58:34.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-23840","source":"anchore_cve","description":"Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).","package":"openssl-libs-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-03-31T17:41:15.000Z","justification":"Vendor patched in version 1.1.1j on 2/16/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-03-31T17:41:44.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-03-31T17:46:26.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-23841","source":"anchore_cve","description":"The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. The function X509_issuer_and_serial_hash() is never directly called by OpenSSL itself so applications are only vulnerable if they use this function directly and they use it on certificates that may have been obtained from untrusted sources. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x).","package":"openssl-libs-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-03-31T17:41:15.000Z","justification":"Vendor patched in version 1.1.1j on 2/16/2021. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-03-31T17:41:44.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-03-31T17:46:26.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-27645","source":"anchore_cve","description":"The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-27645","source":"anchore_cve","description":"The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.","package":"glibc-common-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-27645","source":"anchore_cve","description":"The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c.","package":"glibc-minimal-langpack-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-28153","source":"anchore_cve","description":"An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)","package":"glib2-2.56.4-10.el8_4.1","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-11T14:31:17.000Z","justification":"Upstream patched in version 2.67.6 on 3/10/21. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-11T14:31:17.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-11T14:31:51.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-28153","source":"twistlock_cve","description":"An issue was discovered in GNOME GLib before 2.66.8. When g_file_replace() is used with G_FILE_CREATE_REPLACE_DESTINATION to replace a path that is a dangling symlink, it incorrectly also creates the target of the symlink as an empty file, which could conceivably have security relevance if the symlink is attacker-controlled. (If the path is a symlink to a file that already exists, then the contents of that file correctly remain unchanged.)","package":"glib2-2.56.4-10.el8_4.1","findingsState":"approved","contributor":{"state":"reviewed","date":"2021-08-11T14:31:17.000Z","justification":"Upstream patched in version 2.67.6 on 3/10/21. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-08-11T14:31:17.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-11T14:31:51.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3200","source":"anchore_cve","description":"Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp, const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334, which could cause a denial of service","package":"libsolv-0.7.16-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-02T00:31:56.000Z","justification":"True Positive. Published 2020-12-20. No patch available in UBI.","user":{"name":"melissari_sean","email":"melissari_sean@bah.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-06-02T13:10:21.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-02T13:18:42.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3200","source":"twistlock_cve","description":"Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read","package":"libsolv-0.7.16-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-02T13:34:08.000Z","justification":"True Positive. Published 2020-12-20. No patch available in UBI.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-02T13:34:26.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-02T13:35:21.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33560","source":"anchore_cve","description":"Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.","package":"libgcrypt-1.8.5-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-16T13:44:47.000Z","justification":"Upstream patched on 5/26/21 in version 1.8.8. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-16T13:52:32.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-16T13:54:01.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33560","source":"twistlock_cve","description":"Libgcrypt before 1.8.8 and 1.9.x before 1.9.3 mishandles ElGamal encryption because it lacks exponent blinding to address a side-channel attack against mpi_powm, and the window size is not chosen appropriately. (There is also an interoperability problem because the selection of the k integer value does not properly consider the differences between basic ElGamal encryption and generalized ElGamal encryption.) This, for example, affects use of ElGamal in OpenPGP.","package":"libgcrypt-1.8.5-4.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-14T13:18:27.000Z","justification":"Upstream patched on 5/26/21 in version 1.8.8. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-14T13:19:43.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-14T13:20:42.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"anchore_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T18:03:07.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T18:03:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T18:13:50.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"twistlock_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-02T13:31:07.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-02T13:34:26.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-02T13:35:21.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"anchore_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-common-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T18:03:07.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T18:03:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T18:13:50.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-33574","source":"anchore_cve","description":"The mq_notify function in the GNU C Library (aka glibc) versions 2.32 and 2.33 has a use-after-free. It may use the notification thread attributes object (passed through its struct sigevent parameter) after it has been freed by the caller, leading to a denial of service (application crash) or possibly unspecified other impact.","package":"glibc-minimal-langpack-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T18:03:07.000Z","justification":"Upstream has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T18:03:59.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T18:13:50.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"twistlock_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3421","source":"anchore_cve","description":"A flaw was found in the RPM package in the read functionality. This flaw allows an attacker who can convince a victim to install a seemingly verifiable package or compromise an RPM repository, to cause RPM database corruption. The highest threat from this vulnerability is to data integrity. This flaw affects RPM versions before 4.17.0-alpha.","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-30T15:14:01.000Z","justification":"Patched upstream in version 4.16.1.3 on 3/22/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-30T15:15:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-30T15:25:36.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3426","source":"anchore_cve","description":"There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.","package":"platform-python-3.6.8-37.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:10.000Z","justification":"No upstream fix is available.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3426","source":"anchore_cve","description":"There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince another local or adjacent user to start a pydoc server could access the server and use it to disclose sensitive information belonging to the other user that they would not normally be able to access. The highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9, Python versions before 3.9.3 and Python versions before 3.10.0a7.","package":"python3-libs-3.6.8-37.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:10.000Z","justification":"No upstream fix is available.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:13.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3445","source":"anchore_cve","description":"A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"libdnf-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3445","source":"twistlock_cve","description":"A flaw was found in libdnf\\'s signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"libdnf-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T18:16:40.000Z","justification":"Patched upstream in version 0.60.1 on 4/12/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T18:17:14.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T18:19:19.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3445","source":"anchore_cve","description":"A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"python3-hawkey-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:12.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3445","source":"anchore_cve","description":"A flaw was found in libdnf's signature verification functionality in versions before 0.60.1. This flaw allows an attacker to achieve code execution if they can alter the header information of an RPM package and then trick a user or system into installing it. The highest risk of this vulnerability is to confidentiality, integrity, as well as system availability.","package":"python3-libdnf-0.55.0-7.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-05-19T15:04:09.000Z","justification":"Upstream has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-05-19T15:09:13.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-05-19T15:18:17.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3572","source":"anchore_cve","description":"none","package":"python3-pip-wheel-9.0.3-19.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-01T15:13:07.000Z","justification":"Upstream patched in version 21.1. Red Hat has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-01T15:13:50.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-01T15:25:13.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3580","source":"anchore_cve","description":"A flaw was found in the way nettle's RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.","package":"nettle-3.4.1-4.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-06-08T18:20:21.000Z","justification":"Patched upstream in version 3.7.3 on 5/17/2021. RH has not patched.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-06-08T18:20:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-06-08T18:21:50.000Z","comment":"This finding is approved.","user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3580","source":"twistlock_cve","description":"A flaw was found in the way nettle\\'s RSA decryption functions handled specially crafted ciphertext. An attacker could use this flaw to provide a manipulated ciphertext leading to application crash and denial of service.","package":"nettle-3.4.1-4.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-06T03:48:05.000Z","justification":"Patched upstream in version 3.7.3 on 5/17/2021. RH has not patched.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-06T13:28:55.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-06T13:31:49.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35937","source":"anchore_cve","description":"none","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35938","source":"anchore_cve","description":"none","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"python3-rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"rpm-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"rpm-build-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35939","source":"anchore_cve","description":"none","package":"rpm-libs-4.14.3-14.el8_4","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-02T18:20:01.000Z","justification":"Red Hat states that the rpm package in RHEL 8 is affected by this vulnerability. Red Hat has not patched.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-02T18:24:23.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"hstev09","email":"hunter.stevens@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-02T18:27:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"anchore_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-07T01:05:57.000Z","justification":"Will be patched upstream in version 2.34 around August 1st. No patch available now.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-07T01:06:34.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-07T01:13:46.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"twistlock_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-23T15:50:48.000Z","justification":"Upstream patched in version 2.34 which is scheduled to be released on 8/1/21. RH has not patched.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-23T18:06:10.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-23T18:09:07.000Z","comment":"This finding is approved.","user":{"name":"thomas.b.shepherd","email":"shepherd_thomas@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"anchore_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-common-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-07T01:05:57.000Z","justification":"Will be patched upstream in version 2.34 around August 1st. No patch available now.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-07T01:06:35.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-07T01:13:46.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-35942","source":"anchore_cve","description":"The wordexp function in the GNU C Library (aka glibc) through 2.33 may crash or read arbitrary memory in parse_param (in posix/wordexp.c) when called with an untrusted, crafted pattern, potentially resulting in a denial of service or disclosure of information. This occurs because atoi was used but strtoul should have been used to ensure correct calculations.","package":"glibc-minimal-langpack-2.28-151.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-07T01:05:57.000Z","justification":"Will be patched upstream in version 2.34 around August 1st. No patch available now.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-07T01:06:35.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-07T01:13:46.000Z","comment":"This finding is approved.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36084","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T12:55:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-21T13:00:39.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T13:07:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36084","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __cil_verify_classpermission and __cil_pre_verify_helper).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T18:18:22.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T18:20:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T18:20:45.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36085","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T12:55:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-21T13:00:39.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T13:07:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36085","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in __cil_verify_classperms (called from __verify_map_perm_classperms and hashtab_map).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T18:18:22.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T18:20:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T18:20:45.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36086","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T12:55:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-21T13:00:39.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T13:07:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36086","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a use-after-free in cil_reset_classpermission (called from cil_reset_classperms_set and cil_reset_classperms_list).","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T18:18:22.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T18:20:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T18:20:45.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36087","source":"anchore_cve","description":"The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-21T12:55:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-21T13:00:39.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-21T13:07:04.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36087","source":"twistlock_cve","description":"The CIL compiler in SELinux 3.2 has a heap-based buffer over-read in ebitmap_match_any (called indirectly from cil_check_neverallow). This occurs because there is sometimes a lack of checks for invalid statements in an optional block.","package":"libsepol-2.9-2.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-19T18:18:22.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-19T18:20:03.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-19T18:20:45.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-36222","source":"anchore_cve","description":"ec_verify in kdc/kdc_preauth_ec.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.18.4 and 1.19.x before 1.19.2 allows remote attackers to cause a NULL pointer dereference and daemon crash. This occurs because a return value is not properly managed in a certain situation.","package":"krb5-libs-1.18.2-8.el8","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-07-20T13:36:54.000Z","justification":"No patch available upstream.","user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2021-07-20T13:44:32.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-07-20T13:45:06.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"CVE-2021-3712","source":"anchore_cve","description":"ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own \"d2i\" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the \"data\" and \"length\" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the \"data\" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext). Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1k). Fixed in OpenSSL 1.0.2za (Affected 1.0.2-1.0.2y).","package":"openssl-libs-1.1.1g-15.el8_3","findingsState":"approved","contributor":{"state":"needs_review","date":"2021-08-25T17:22:33.000Z","justification":"Upstream submitted patches on 08/24/2021 to the 1.1.1 branch. No ETA on finalizing a new 1.1.1 release which contains these patches.","user":{"name":"josheason","email":"josheason@seed-innovations.com","role":"container_contributor"}},"reviewer":{"state":"reviewed","date":"2021-08-25T17:39:52.000Z","comment":"This finding was reviewed.","designator":"True Positive","falsePositive":false,"user":{"name":"andymaks7","email":"andre.maksymowicz@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-08-25T17:40:38.000Z","comment":"This finding is approved.","user":{"name":"riveraj","email":"riveralatorre_jose@bah.com","role":"findings_approver"}}},{"identifier":"e7573262736ef52353cde3bae2617782","source":"anchore_comp","description":"SUID or SGID found set on file /usr/bin/umount. Mode: 0o104755\n Gate: files\n Trigger: suid_or_guid_set\n Policy ID: DoDFileChecks","findingsState":"approved","contributor":{"state":"has_justification","date":"2020-11-10T15:00:28.000Z","justification":"Required for umount functionality.","user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"reviewer":{"state":"reviewed","date":"2020-11-10T15:00:28.000Z","comment":"Approved, imported from spreadsheet.","designator":"True Positive","falsePositive":false,"user":{"name":"alfontaine","email":"alan.fontaine@centauricorp.com","role":"findings_approver"}},"approver":{"state":"approved","date":"2021-01-27T22:52:42.000Z","comment":"Approved with conditions. RH must fix CVE-2019-25013 within 30 days.","user":{"name":"nicosnt","email":"nicolas.m.chaillan.civ@mail.mil","role":"container_approver"}}}],"digest":"2c669f918e67acaa35cfa9c777c1d7334098b3f5f15318989d43a919974439b9"}
INFO: POST Response: 201
section_end:1629986753:step_script[0Ksection_start:1629986753:upload_artifacts_on_success[0K[0K[36;1mUploading artifacts for successful job[0;m
[0;m[32;1mUploading artifacts...[0;m
ci-artifacts/vat_request.json: found 1 matching files and directories[0;m 
Uploading artifacts as "archive" to coordinator... ok[0;m  id[0;m=5963408 responseStatus[0;m=201 Created token[0;m=3i_iuGg_
section_end:1629986755:upload_artifacts_on_success[0Ksection_start:1629986755:cleanup_file_variables[0K[0K[36;1mCleaning up file based variables[0;m
[0;msection_end:1629986755:cleanup_file_variables[0K[32;1mJob succeeded
[0;m