chore(findings): opensource/keycloak/keycloak
Summary
opensource/keycloak/keycloak has 35 new findings discovered during continuous monitoring.
id | source | severity | package |
---|---|---|---|
GHSA-m4mm-pg93-fv78 | Anchore CVE | High | undertow-core-2.2.17.Final |
GHSA-m4mm-pg93-fv78 | Anchore CVE | High | undertow-core-2.2.17.Final |
GHSA-3p86-9955-h393 | Anchore CVE | High | org.eclipse.jgit-5.13.0.202109080827-r |
GHSA-rhrv-645h-fjfh | Anchore CVE | High | avro-1.10.2 |
CVE-2023-0833 | Anchore CVE | Medium | okhttp-3.14.9 |
GHSA-xpw8-rcwv-8f8p | Anchore CVE | High | netty-codec-http2-4.1.76.Final |
GHSA-xfrj-6vvc-3xm2 | Anchore CVE | Medium | xmlsec-2.2.3 |
GHSA-7g24-qg88-p43q | Anchore CVE | High | jose4j-0.7.11 |
GHSA-26qx-4m49-6cfr | Anchore CVE | Medium | wildfly-controller-18.1.1.Final |
CVE-2023-5678 | Anchore CVE | Low | openssl-1:1.1.1k-9.el8_7 |
CVE-2023-46604 | Anchore CVE | Critical | activemq-artemis-native-1.0.2 |
GHSA-q84x-3476-8ff2 | Anchore CVE | Medium | apache-mime4j-storage-0.8.7 |
GHSA-8hc5-rmgf-qx6p | Anchore CVE | Low | keycloak-ldap-federation-19.0.3 |
CVE-2023-35887 | Anchore CVE | Medium | sshd-core-2.7.0 |
GHSA-8hc5-rmgf-qx6p | Anchore CVE | Low | keycloak-services-19.0.3 |
CVE-2022-41678 | Anchore CVE | High | activemq-artemis-native-1.0.2 |
CVE-2023-33201 | Twistlock CVE | Medium | org.bouncycastle_bcprov-jdk15on-1.69 |
CVE-2023-1108 | Twistlock CVE | High | io.undertow_undertow-core-2.2.17 |
CVE-2023-4759 | Twistlock CVE | High | org.eclipse.jgit_org.eclipse.jgit-5.13.0.202109080827 |
CVE-2022-3916 | Twistlock CVE | Medium | org.keycloak_keycloak-core-19.0.3 |
CVE-2023-3223 | Twistlock CVE | High | io.undertow_undertow-core-2.2.17 |
CVE-2023-0833 | Twistlock CVE | Medium | com.squareup.okhttp3_okhttp-3.14.9 |
CVE-2023-39410 | Twistlock CVE | High | org.apache.avro_avro-1.10.2 |
GHSA-xpw8-rcwv-8f8p | Twistlock CVE | High | io.netty_netty-codec-http2-4.1.76 |
CVE-2023-44487 | Twistlock CVE | High | io.netty_netty-codec-4.1.76 |
CVE-2023-44487 | Twistlock CVE | High | io.netty_netty-codec-http2-4.1.76 |
CVE-2023-31582 | Twistlock CVE | High | org.bitbucket.b_c_jose4j-0.7.11 |
CVE-2023-44483 | Twistlock CVE | Medium | org.apache.santuario_xmlsec-2.2.3 |
CVE-2023-35116 | Twistlock CVE | Medium | com.fasterxml.jackson.core_jackson-databind-2.12.6.1 |
CVE-2023-35116 | Twistlock CVE | Medium | com.fasterxml.jackson.core_jackson-databind-2.13.2.2 |
CVE-2023-4061 | Twistlock CVE | Medium | org.wildfly.core_wildfly-controller-18.1.1 |
CVE-2023-5678 | Twistlock CVE | Low | openssl-1.1.1k-9.el8_7 |
CVE-2022-45787 | Twistlock CVE | Medium | org.apache.james_apache-mime4j-storage-0.8.7 |
CVE-2022-2232 | Twistlock CVE | Low | org.keycloak_keycloak-ldap-federation-19.0.3 |
CVE-2022-2232 | Twistlock CVE | Low | org.keycloak_keycloak-services-19.0.3 |
More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=opensource/keycloak/keycloak&tag=19.0.3-legacy&branch=master
Tasks
Contributor:
-
Provide justifications for findings in the VAT (docs) -
Apply the StatusVerification label to this issue and wait for feedback
Iron Bank:
-
Review findings and justifications
Note: If the above process is rejected for any reason, the
Verification
label will be removed and the issue will be sent back toOpen
. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add theVerification
label.
Questions?
Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding
.
Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.