chore(findings): opensource/pytorch

Summary

opensource/pytorch has 77 new findings discovered during continuous monitoring.

Layer: opensource/pytorch:2.6.0 is EOL, please update if possible

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=opensource/pytorch&tag=2.6.0&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id	source	severity	package	epss_score	kev
CVE-2021-3826	Twistlock CVE	Low	binutils-2.35.2-63.el9	0.00368	false
CVE-2021-3826	Anchore CVE	Low	binutils-gold-2.35.2-63.el9	0.00368	false
CVE-2021-3826	Anchore CVE	Low	binutils-2.35.2-63.el9	0.00368	false
CVE-2021-45078	Twistlock CVE	Medium	binutils-2.35.2-63.el9	0.00208	false
CVE-2021-45078	Anchore CVE	Medium	binutils-2.35.2-63.el9	0.00208	false
CVE-2021-45078	Anchore CVE	Medium	binutils-gold-2.35.2-63.el9	0.00208	false
CVE-2025-1153	Twistlock CVE	Low	binutils-2.35.2-63.el9	0.00185	false
CVE-2025-1153	Anchore CVE	Low	binutils-gold-2.35.2-63.el9	0.00185	false
CVE-2025-1153	Anchore CVE	Low	binutils-2.35.2-63.el9	0.00185	false
CVE-2021-20197	Twistlock CVE	Medium	binutils-2.35.2-63.el9	0.00138	false
CVE-2021-20197	Anchore CVE	Medium	binutils-gold-2.35.2-63.el9	0.00138	false
CVE-2021-20197	Anchore CVE	Medium	binutils-2.35.2-63.el9	0.00138	false
CVE-2021-32256	Anchore CVE	Low	binutils-2.35.2-63.el9	0.00115	false
CVE-2021-32256	Anchore CVE	Low	binutils-gold-2.35.2-63.el9	0.00115	false
CVE-2025-1152	Twistlock CVE	Low	binutils-2.35.2-63.el9	0.00081	false
CVE-2025-1152	Anchore CVE	Low	binutils-gold-2.35.2-63.el9	0.00081	false
CVE-2025-1152	Anchore CVE	Low	binutils-2.35.2-63.el9	0.00081	false
CVE-2025-1150	Twistlock CVE	Low	binutils-2.35.2-63.el9	0.00081	false
CVE-2025-1150	Anchore CVE	Low	binutils-2.35.2-63.el9	0.00081	false
CVE-2025-1150	Anchore CVE	Low	binutils-gold-2.35.2-63.el9	0.00081	false
CVE-2025-1151	Twistlock CVE	Low	binutils-2.35.2-63.el9	0.00075	false
CVE-2025-1151	Anchore CVE	Low	binutils-gold-2.35.2-63.el9	0.00075	false
CVE-2025-1151	Anchore CVE	Low	binutils-2.35.2-63.el9	0.00075	false
CVE-2025-1377	Anchore CVE	Low	elfutils-debuginfod-client-0.192-6.el9_6	0.00065	false
CVE-2022-27943	Anchore CVE	Low	cpp-11.5.0-5.el9_5	0.00050	false
CVE-2022-27943	Anchore CVE	Low	gcc-11.5.0-5.el9_5	0.00050	false
CVE-2025-1376	Anchore CVE	Low	elfutils-debuginfod-client-0.192-6.el9_6	0.00048	false
CVE-2023-1972	Twistlock CVE	Low	binutils-2.35.2-63.el9	0.00045	false
CVE-2023-1972	Anchore CVE	Low	binutils-2.35.2-63.el9	0.00045	false
CVE-2023-1972	Anchore CVE	Low	binutils-gold-2.35.2-63.el9	0.00045	false
CVE-2023-1579	Twistlock CVE	Medium	binutils-2.35.2-63.el9	0.00040	false
CVE-2023-1579	Anchore CVE	Medium	binutils-2.35.2-63.el9	0.00040	false
CVE-2023-1579	Anchore CVE	Medium	binutils-gold-2.35.2-63.el9	0.00040	false
CVE-2023-24056	Twistlock CVE	Low	pkgconf-1.7.3-10.el9	0.00037	false
CVE-2023-24056	Anchore CVE	Low	pkgconf-1.7.3-10.el9	0.00037	false
CVE-2023-24056	Anchore CVE	Low	libpkgconf-1.7.3-10.el9	0.00037	false
CVE-2023-24056	Anchore CVE	Low	pkgconf-pkg-config-1.7.3-10.el9	0.00037	false
CVE-2023-24056	Anchore CVE	Low	pkgconf-m4-1.7.3-10.el9	0.00037	false
CVE-2025-1371	Anchore CVE	Low	elfutils-debuginfod-client-0.192-6.el9_6	0.00029	false
CVE-2024-57360	Twistlock CVE	Low	binutils-2.35.2-63.el9	0.00024	false
CVE-2024-57360	Anchore CVE	Low	binutils-2.35.2-63.el9	0.00024	false
CVE-2024-57360	Anchore CVE	Low	binutils-gold-2.35.2-63.el9	0.00024	false
CVE-2025-5245	Twistlock CVE	Medium	binutils-2.35.2-63.el9	0.00022	false
CVE-2025-5245	Anchore CVE	Medium	binutils-2.35.2-63.el9	0.00022	false
CVE-2025-5245	Anchore CVE	Medium	binutils-gold-2.35.2-63.el9	0.00022	false
CVE-2022-44840	Twistlock CVE	Low	binutils-2.35.2-63.el9	0.00021	false
CVE-2022-44840	Anchore CVE	Low	binutils-gold-2.35.2-63.el9	0.00021	false
CVE-2022-44840	Anchore CVE	Low	binutils-2.35.2-63.el9	0.00021	false
CVE-2022-38533	Twistlock CVE	Low	binutils-2.35.2-63.el9	0.00017	false
CVE-2022-38533	Anchore CVE	Low	binutils-gold-2.35.2-63.el9	0.00017	false
CVE-2022-38533	Anchore CVE	Low	binutils-2.35.2-63.el9	0.00017	false
CVE-2025-7546	Twistlock CVE	Medium	binutils-2.35.2-63.el9	0.00015	false
CVE-2025-7546	Anchore CVE	Medium	binutils-2.35.2-63.el9	0.00015	false
CVE-2025-7546	Anchore CVE	Medium	binutils-gold-2.35.2-63.el9	0.00015	false
CVE-2025-7545	Twistlock CVE	Medium	binutils-2.35.2-63.el9	0.00014	false
CVE-2025-7545	Anchore CVE	Medium	binutils-gold-2.35.2-63.el9	0.00014	false
CVE-2025-7545	Anchore CVE	Medium	binutils-2.35.2-63.el9	0.00014	false
CVE-2024-25260	Anchore CVE	Low	elfutils-debuginfod-client-0.192-6.el9_6	0.00014	false
CVE-2022-47011	Twistlock CVE	Low	binutils-2.35.2-63.el9	0.00014	false
CVE-2022-47011	Anchore CVE	Low	binutils-gold-2.35.2-63.el9	0.00014	false
CVE-2022-47011	Anchore CVE	Low	binutils-2.35.2-63.el9	0.00014	false
CVE-2022-47010	Twistlock CVE	Low	binutils-2.35.2-63.el9	0.00014	false
CVE-2022-47010	Anchore CVE	Low	binutils-2.35.2-63.el9	0.00014	false
CVE-2022-47010	Anchore CVE	Low	binutils-gold-2.35.2-63.el9	0.00014	false
CVE-2022-47008	Twistlock CVE	Low	binutils-2.35.2-63.el9	0.00014	false
CVE-2022-47008	Anchore CVE	Low	binutils-2.35.2-63.el9	0.00014	false
CVE-2022-47008	Anchore CVE	Low	binutils-gold-2.35.2-63.el9	0.00014	false
CVE-2022-47007	Twistlock CVE	Low	binutils-2.35.2-63.el9	0.00014	false
CVE-2022-47007	Anchore CVE	Low	binutils-2.35.2-63.el9	0.00014	false
CVE-2022-47007	Anchore CVE	Low	binutils-gold-2.35.2-63.el9	0.00014	false
CVE-2025-3198	Twistlock CVE	Low	binutils-2.35.2-63.el9	0.00011	false
CVE-2025-3198	Anchore CVE	Low	binutils-gold-2.35.2-63.el9	0.00011	false
CVE-2025-3198	Anchore CVE	Low	binutils-2.35.2-63.el9	0.00011	false
CVE-2023-2222	Anchore CVE	Low	binutils-2.35.2-63.el9	N/A	false
CVE-2023-2222	Anchore CVE	Low	binutils-gold-2.35.2-63.el9	N/A	false
b158ebd45239eda54048347d0ed89863	Anchore Compliance	Critical		N/A	N/A
784f3371c98e2d16bce4e3dce87cd5cb	Anchore Compliance	Critical		N/A	N/A

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=opensource/pytorch&tag=2.6.0&branch=master

Novel Tidelift Findings (Experimental)

opensource/pytorch has 11 novel Tidelift findings discovered during continuous monitoring.

NOTE: This table is for Iron Bank evaluation and testing purposes. No action required by vendors.

id	cvss score	package	impact	workaround	epss_score	kev
CVE-2024-6345	8.8	setuptools-53.0.0	Most users have migrated off of the code paths that are affected. The affected code paths are actively deprecated and planned for turn down. Only specialized and legacy workflows are affected.	Use recommended installers pip, uv, build, system package managers to install all packages from trusted indexes. If working with untrusted content in private indexes, consider scanning for malicious code in the package index pages.	0.09839	false
CVE-2023-32681	6.1	requests-2.25.1	Requires that deployment or integration of requests is being used to a connect to untrusted hosts b is connecting over HTTPS and c is using proxies to do so.		0.06277	false
CVE-2023-43804	8.1	urllib3-1.26.5	Usage of the Cookie header is rare with urllib3. This is more common and useful in browsers. Redirections to another origin are also not the common case.		0.00472	false
CVE-2024-3651	7.5	idna-2.10			0.00338	false
CVE-2022-40897	7.5	setuptools-53.0.0	Code path is deprecated.		0.00318	false
CVE-2024-37891	4.4	urllib3-1.26.5	Theres no reason to set ProxyAuthorization without using urllib3s proxy support.	Using the ProxyAuthorization header with urllib3s ProxyManager. Disabling HTTP redirects using redirectsFalse when sending requests. Not using the ProxyAuthorization header.	0.00193	false
CVE-2025-47273	7.7	setuptools-53.0.0			0.00139	false
CVE-2023-45803	4.2	urllib3-1.26.5	No exploits from real world were reported	Disable redirects for services that you arent expecting to respond with redirects with redirectsFalse.Disable automatic redirects with redirectsFalse and handle 303 redirects manually by stripping the HTTP request body.	0.00055	false
CVE-2024-47081	5.3	requests-2.25.1			0.00028	false
CVE-2024-35195	5.6	requests-2.25.1			0.00022	false
CVE-2025-50182	5.3	urllib3-1.26.5	Pyodide is extremely rare configuration for users in production.		0.00013	false

Tasks

Contributor:

Provide justifications for findings in the VAT (docs)
Apply the StatusVerification label to this issue and wait for feedback

Iron Bank:

Review findings and justifications

Note: If the above process is rejected for any reason, the Verification label will be removed and the issue will be sent back to Open. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

chore(findings): opensource/pytorch

Summary

Novel Tidelift Findings (Experimental)

Tasks

Questions?