UNCLASSIFIED - NO CUI

Skip to content

chore(findings): phylum/ui

Summary

phylum/ui has 332 new findings discovered during continuous monitoring.

Layer: redhat/ubi/ubi9:9.3 is EOL, please update if possible

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=phylum/ui&tag=1.17.5&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id source severity package impact workaround epss_score kev
CVE-2016-1247 Anchore CVE Low nginx-filesystem-2:1.20.1-22.el9_6.3 0.08708 false
CVE-2016-1247 Anchore CVE Low nginx-core-2:1.20.1-22.el9_6.3 0.08708 false
CVE-2016-1247 Anchore CVE Low nginx-2:1.20.1-22.el9_6.3 0.08708 false
CVE-2016-1247 Twistlock CVE Low nginx-2:1.20.1-22.el9_6.3 0.08708 false
CVE-2024-1931 Anchore CVE Medium unbound-libs-1.16.2-19.el9_6.1 0.06753 false
CVE-2024-1931 Twistlock CVE Medium unbound-1.16.2-19.el9_6.1 0.06753 false
CVE-2024-7264 Anchore CVE Low libcurl-minimal-7.76.1-31.el9_6.1 0.06460 false
CVE-2024-7264 Anchore CVE Low curl-minimal-7.76.1-31.el9_6.1 0.06460 false
CVE-2024-7264 Twistlock CVE Low curl-7.76.1-31.el9_6.1 0.06460 false
CVE-2024-33655 Anchore CVE Low unbound-libs-1.16.2-19.el9_6.1 0.03995 false
CVE-2024-33655 Twistlock CVE Low unbound-1.16.2-19.el9_6.1 0.03995 false
CVE-2024-56433 Anchore CVE Low shadow-utils-2:4.9-12.el9 0.03604 false
CVE-2021-27290 Anchore CVE Medium npm-1:8.19.4-1.16.20.2.8.el9_4 0.02665 false
CVE-2021-27290 Anchore CVE Medium nodejs-full-i18n-1:16.20.2-8.el9_4 0.02665 false
CVE-2021-27290 Anchore CVE Medium nodejs-docs-1:16.20.2-8.el9_4 0.02665 false
CVE-2021-27290 Anchore CVE Medium nodejs-libs-1:16.20.2-8.el9_4 0.02665 false
CVE-2021-27290 Anchore CVE Medium nodejs-1:16.20.2-8.el9_4 0.02665 false
CVE-2021-27290 Twistlock CVE Medium nodejs-1:16.20.2-8.el9_4 0.02665 false
CVE-2024-45590 Twistlock CVE High body-parser-1.20.1 A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. More technical details can be found at httpsexpressjs.com20241022securityauditmilestoneachievement.html 0.01873 false
CVE-2024-39338 Twistlock CVE High axios-1.6.1 0.01587 false
CVE-2024-33883 Twistlock CVE Medium ejs-3.1.8 0.01263 false
CVE-2023-46809 Anchore CVE Medium nodejs-libs-1:16.20.2-8.el9_4 0.00962 false
CVE-2023-46809 Anchore CVE Medium nodejs-full-i18n-1:16.20.2-8.el9_4 0.00962 false
CVE-2023-46809 Anchore CVE Medium nodejs-docs-1:16.20.2-8.el9_4 0.00962 false
CVE-2023-46809 Anchore CVE Medium npm-1:8.19.4-1.16.20.2.8.el9_4 0.00962 false
CVE-2023-46809 Anchore CVE Medium nodejs-1:16.20.2-8.el9_4 0.00962 false
CVE-2023-46809 Twistlock CVE Medium nodejs-1:16.20.2-8.el9_4 0.00962 false
CVE-2024-11831 Twistlock CVE Medium serialize-javascript-6.0.0 0.00648 false
CVE-2024-43788 Twistlock CVE Medium webpack-5.76.1 0.00627 false
CVE-2024-9681 Anchore CVE Low libcurl-minimal-7.76.1-31.el9_6.1 0.00571 false
CVE-2024-9681 Anchore CVE Low curl-minimal-7.76.1-31.el9_6.1 0.00571 false
CVE-2024-9681 Twistlock CVE Low curl-7.76.1-31.el9_6.1 0.00571 false
CVE-2024-37890 Twistlock CVE High ws-7.5.9 0.00541 false
CVE-2024-37890 Twistlock CVE High ws-8.11.0 0.00541 false
CVE-2024-41996 Anchore CVE Low openssl-1:3.2.2-6.el9_5.1 0.00446 false
CVE-2024-41996 Anchore CVE Low openssl-libs-1:3.2.2-6.el9_5.1 0.00446 false
CVE-2024-41996 Twistlock CVE Low openssl-1:3.2.2-6.el9_5.1 0.00446 false
CVE-2024-34459 Anchore CVE Low libxml2-2.9.13-12.el9_6 0.00390 false
CVE-2024-34459 Twistlock CVE Low libxml2-2.9.13-12.el9_6 0.00390 false
CVE-2025-1153 Anchore CVE Low gdb-gdbserver-14.2-4.1.el9_6 0.00375 false
CVE-2025-1153 Twistlock CVE Low gdb-14.2-4.1.el9_6 0.00375 false
CVE-2021-20066 Twistlock CVE Low jsdom-16.7.0 0.00362 false
CVE-2024-11053 Anchore CVE Low libcurl-minimal-7.76.1-31.el9_6.1 0.00337 false
CVE-2024-11053 Anchore CVE Low curl-minimal-7.76.1-31.el9_6.1 0.00337 false
CVE-2024-11053 Twistlock CVE Low curl-7.76.1-31.el9_6.1 0.00337 false
CVE-2022-25883 Anchore CVE Medium nodejs-libs-1:16.20.2-8.el9_4 0.00321 false
CVE-2022-25883 Anchore CVE Medium npm-1:8.19.4-1.16.20.2.8.el9_4 0.00321 false
CVE-2022-25883 Anchore CVE Medium nodejs-1:16.20.2-8.el9_4 0.00321 false
CVE-2022-25883 Anchore CVE Medium nodejs-full-i18n-1:16.20.2-8.el9_4 0.00321 false
CVE-2022-25883 Anchore CVE Medium nodejs-docs-1:16.20.2-8.el9_4 0.00321 false
CVE-2022-25883 Twistlock CVE Medium nodejs-1:16.20.2-8.el9_4 0.00321 false
CVE-2024-43800 Twistlock CVE Medium serve-static-1.15.0 Users who are already validating and sanitizing their inputs as expected are highly unlikely to be impacted. Validate and sanitize user input before passing it to this method. 0.00280 false
CVE-2021-3572 Anchore CVE Low python3-pip-wheel-21.3.1-1.el9 0.00240 false
CVE-2021-3572 Twistlock CVE Low python-pip-21.3.1-1.el9 0.00240 false
CVE-2025-1795 Anchore CVE Low python3-3.9.21-2.el9_6.2 0.00236 false
CVE-2025-1795 Anchore CVE Low python3-libs-3.9.21-2.el9_6.2 0.00236 false
CVE-2025-1795 Twistlock CVE Low python3.9-3.9.21-2.el9_6.2 0.00236 false
CVE-2024-4068 Twistlock CVE High braces-3.0.2 0.00225 false
CVE-2024-29180 Twistlock CVE High webpack-dev-middleware-5.3.3 0.00218 false
CVE-2024-28849 Twistlock CVE Medium follow-redirects-1.15.4 0.00216 false
CVE-2021-3807 Anchore CVE Medium nodejs-docs-1:16.20.2-8.el9_4 0.00215 false
CVE-2021-3807 Anchore CVE Medium nodejs-libs-1:16.20.2-8.el9_4 0.00215 false
CVE-2021-3807 Anchore CVE Medium nodejs-full-i18n-1:16.20.2-8.el9_4 0.00215 false
CVE-2021-3807 Anchore CVE Medium nodejs-1:16.20.2-8.el9_4 0.00215 false
CVE-2021-3807 Anchore CVE Medium npm-1:8.19.4-1.16.20.2.8.el9_4 0.00215 false
CVE-2021-3807 Twistlock CVE Medium nodejs-1:16.20.2-8.el9_4 0.00215 false
CVE-2024-28863 Twistlock CVE Medium tar-6.1.11 0.00198 false
CVE-2023-32636 Twistlock CVE Low glib2-2.68.4-16.el9_6.3 0.00165 false
CVE-2023-32636 Anchore CVE Low glib2-2.68.4-16.el9_6.3 0.00165 false
CVE-2025-1632 Anchore CVE Low libarchive-3.5.3-6.el9_6 0.00156 false
CVE-2025-1632 Twistlock CVE Low libarchive-3.5.3-6.el9_6 0.00156 false
CVE-2023-44270 Twistlock CVE Medium postcss-7.0.39 Most of users use PostCSS locally as build tool. Even people who process users CSS via PostCSS rarely do security linting of CSS. Remove all r before parsing CSS 0.00148 false
CVE-2023-44270 Twistlock CVE Medium postcss-8.4.19 Most of users use PostCSS locally as build tool. Even people who process users CSS via PostCSS rarely do security linting of CSS. Remove all r before parsing CSS 0.00148 false
CVE-2024-24806 Anchore CVE Medium nodejs-1:16.20.2-8.el9_4 0.00142 false
CVE-2024-24806 Anchore CVE Medium nodejs-libs-1:16.20.2-8.el9_4 0.00142 false
CVE-2024-24806 Anchore CVE Medium nodejs-full-i18n-1:16.20.2-8.el9_4 0.00142 false
CVE-2024-24806 Anchore CVE Medium nodejs-docs-1:16.20.2-8.el9_4 0.00142 false
CVE-2024-24806 Anchore CVE Medium npm-1:8.19.4-1.16.20.2.8.el9_4 0.00142 false
CVE-2024-24806 Twistlock CVE Medium nodejs-1:16.20.2-8.el9_4 0.00142 false
CVE-2023-38552 Anchore CVE Medium nodejs-1:16.20.2-8.el9_4 0.00137 false
CVE-2023-38552 Anchore CVE Medium nodejs-libs-1:16.20.2-8.el9_4 0.00137 false
CVE-2023-38552 Anchore CVE Medium npm-1:8.19.4-1.16.20.2.8.el9_4 0.00137 false
CVE-2023-38552 Anchore CVE Medium nodejs-docs-1:16.20.2-8.el9_4 0.00137 false
CVE-2023-38552 Anchore CVE Medium nodejs-full-i18n-1:16.20.2-8.el9_4 0.00137 false
CVE-2023-38552 Twistlock CVE Medium nodejs-1:16.20.2-8.el9_4 0.00137 false
CVE-2024-21536 Twistlock CVE High http-proxy-middleware-2.0.6 0.00136 false
CVE-2024-21538 Twistlock CVE High cross-spawn-7.0.3 0.00129 false
CVE-2024-4067 Twistlock CVE Medium micromatch-4.0.5 0.00126 false
CVE-2020-12413 Anchore CVE Low nss-softokn-3.112.0-4.el9_4 0.00120 false
CVE-2020-12413 Anchore CVE Low nss-softokn-freebl-3.112.0-4.el9_4 0.00120 false
CVE-2020-12413 Anchore CVE Low nss-3.112.0-4.el9_4 0.00120 false
CVE-2020-12413 Anchore CVE Low nss-sysinit-3.112.0-4.el9_4 0.00120 false
CVE-2020-12413 Anchore CVE Low nss-util-3.112.0-4.el9_4 0.00120 false
CVE-2020-12413 Anchore CVE Low nspr-4.36.0-4.el9_4 0.00120 false
CVE-2020-12413 Twistlock CVE Low nss-3.112.0-4.el9_4 0.00120 false
CVE-2024-13176 Anchore CVE Low openssl-libs-1:3.2.2-6.el9_5.1 0.00118 false
CVE-2024-13176 Anchore CVE Low openssl-1:3.2.2-6.el9_5.1 0.00118 false
CVE-2024-13176 Twistlock CVE Low openssl-1:3.2.2-6.el9_5.1 0.00118 false
CVE-2025-6069 Anchore CVE Medium python3-libs-3.9.21-2.el9_6.2 0.00116 false
CVE-2025-6069 Anchore CVE Medium python3-3.9.21-2.el9_6.2 0.00116 false
CVE-2025-6069 Twistlock CVE Medium python3.9-3.9.21-2.el9_6.2 0.00116 false
CVE-2025-1152 Anchore CVE Low gdb-gdbserver-14.2-4.1.el9_6 0.00113 false
CVE-2025-1152 Twistlock CVE Low gdb-14.2-4.1.el9_6 0.00113 false
CVE-2025-1150 Anchore CVE Low gdb-gdbserver-14.2-4.1.el9_6 0.00113 false
CVE-2025-1150 Twistlock CVE Low gdb-14.2-4.1.el9_6 0.00113 false
CVE-2025-53859 Anchore CVE Low nginx-filesystem-2:1.20.1-22.el9_6.3 0.00106 false
CVE-2025-53859 Anchore CVE Low nginx-2:1.20.1-22.el9_6.3 0.00106 false
CVE-2025-53859 Anchore CVE Low nginx-core-2:1.20.1-22.el9_6.3 0.00106 false
CVE-2025-53859 Twistlock CVE Low nginx-2:1.20.1-22.el9_6.3 0.00106 false
CVE-2025-1151 Anchore CVE Low gdb-gdbserver-14.2-4.1.el9_6 0.00104 false
CVE-2025-1151 Twistlock CVE Low gdb-14.2-4.1.el9_6 0.00104 false
CVE-2023-39333 Anchore CVE Low nodejs-full-i18n-1:16.20.2-8.el9_4 0.00094 false
CVE-2023-39333 Anchore CVE Low nodejs-docs-1:16.20.2-8.el9_4 0.00094 false
CVE-2023-39333 Anchore CVE Low nodejs-1:16.20.2-8.el9_4 0.00094 false
CVE-2023-39333 Anchore CVE Low nodejs-libs-1:16.20.2-8.el9_4 0.00094 false
CVE-2023-39333 Anchore CVE Low npm-1:8.19.4-1.16.20.2.8.el9_4 0.00094 false
CVE-2023-39333 Twistlock CVE Low nodejs-1:16.20.2-8.el9_4 0.00094 false
CVE-2022-37620 Twistlock CVE High html-minifier-terser-6.1.0 0.00094 false
CVE-2025-7039 Twistlock CVE Low glib2-2.68.4-16.el9_6.3 0.00089 false
CVE-2024-52798 Twistlock CVE High path-to-regexp-0.1.7 0.00086 false
CVE-2024-43799 Twistlock CVE Medium send-0.18.0 Application owners have always been expected to sanitize and validate their inputs, so using it correctly should result in very low likelihood of impact. Validate and sanitize user inputs. 0.00081 false
CVE-2023-45143 Anchore CVE Low nodejs-libs-1:16.20.2-8.el9_4 0.00078 false
CVE-2023-45143 Anchore CVE Low nodejs-docs-1:16.20.2-8.el9_4 0.00078 false
CVE-2023-45143 Anchore CVE Low npm-1:8.19.4-1.16.20.2.8.el9_4 0.00078 false
CVE-2023-45143 Anchore CVE Low nodejs-1:16.20.2-8.el9_4 0.00078 false
CVE-2023-45143 Anchore CVE Low nodejs-full-i18n-1:16.20.2-8.el9_4 0.00078 false
CVE-2023-45143 Twistlock CVE Low nodejs-1:16.20.2-8.el9_4 0.00078 false
CVE-2025-9086 Anchore CVE Medium libcurl-minimal-7.76.1-31.el9_6.1 0.00077 false
CVE-2025-9086 Anchore CVE Medium curl-minimal-7.76.1-31.el9_6.1 0.00077 false
CVE-2025-9086 Twistlock CVE Medium curl-7.76.1-31.el9_6.1 0.00077 false
CVE-2025-30359 Twistlock CVE Medium webpack-dev-server-4.11.1 0.00076 false
CVE-2023-45322 Anchore CVE Low libxml2-2.9.13-12.el9_6 0.00076 false
CVE-2025-59375 Anchore CVE High expat-2.5.0-5.el9_6 0.00075 false
CVE-2025-59375 Twistlock CVE High expat-2.5.0-5.el9_6 0.00075 false
CVE-2025-1377 Anchore CVE Low elfutils-libelf-0.192-6.el9_6 0.00074 false
CVE-2025-1377 Anchore CVE Low elfutils-default-yama-scope-0.192-6.el9_6 0.00074 false
CVE-2025-1377 Anchore CVE Low elfutils-libs-0.192-6.el9_6 0.00074 false
CVE-2025-1377 Twistlock CVE Low elfutils-0.192-6.el9_6 0.00074 false
CVE-2025-8291 Twistlock CVE Medium python3.9-3.9.21-2.el9_6.2 0.00073 false
CVE-2025-8291 Anchore CVE Medium python3-3.9.21-2.el9_6.2 0.00073 false
CVE-2025-8291 Anchore CVE Medium python3-libs-3.9.21-2.el9_6.2 0.00073 false
CVE-2024-47764 Twistlock CVE Low cookie-0.5.0 0.00069 false
CVE-2023-39804 Anchore CVE Low tar-2:1.34-7.el9 0.00067 false
CVE-2023-39804 Twistlock CVE Low tar-2:1.34-7.el9 0.00067 false
CVE-2024-43796 Twistlock CVE Medium express-4.18.2 A successful exploitation of this vector requires the following1. The attacker MUST control the input to response.redirect2. express MUST NOT redirect before the template appears3. the browser MUST NOT complete redirection before4. the user MUST click on the link in the templateNote this exploitation requires a lot of work from the attacker, also the victim should use the links generated in the template, this require certain conditions browser rules, network, etc.... More details httpsgithub.comexpressjsexpresssecurityadvisoriesGHSAqw6hvgh9j6wx Users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist 0.00065 false
CVE-2024-45296 Twistlock CVE High path-to-regexp-1.8.0 Its unlikely you are using routes that match the required characteristics, overwhelming majority of user paths stick with foobar or foo.bar. Provide a manual regular expression to the second parameter that does not match the prefixed text. 0.00064 false
CVE-2024-45296 Twistlock CVE High path-to-regexp-0.1.7 Its unlikely you are using routes that match the required characteristics, overwhelming majority of user paths stick with foobar or foo.bar. Provide a manual regular expression to the second parameter that does not match the prefixed text. 0.00064 false
CVE-2025-3360 Twistlock CVE Low glib2-2.68.4-16.el9_6.3 0.00061 false
CVE-2025-3360 Anchore CVE Low glib2-2.68.4-16.el9_6.3 0.00061 false
CVE-2022-41409 Anchore CVE Low pcre2-syntax-10.40-6.el9 0.00061 false
CVE-2022-41409 Anchore CVE Low pcre2-10.40-6.el9 0.00061 false
CVE-2022-41409 Twistlock CVE Low pcre2-10.40-6.el9 0.00061 false
CVE-2025-27113 Anchore CVE Low libxml2-2.9.13-12.el9_6 0.00059 false
CVE-2025-27113 Twistlock CVE Low libxml2-2.9.13-12.el9_6 0.00059 false
CVE-2024-47068 Twistlock CVE Medium rollup-2.79.1 0.00058 false
CVE-2024-43168 Anchore CVE Low unbound-libs-1.16.2-19.el9_6.1 0.00057 false
CVE-2024-43168 Twistlock CVE Low unbound-1.16.2-19.el9_6.1 0.00057 false
CVE-2025-1376 Anchore CVE Low elfutils-libelf-0.192-6.el9_6 0.00055 false
CVE-2025-1376 Anchore CVE Low elfutils-libs-0.192-6.el9_6 0.00055 false
CVE-2025-1376 Anchore CVE Low elfutils-default-yama-scope-0.192-6.el9_6 0.00055 false
CVE-2025-1376 Twistlock CVE Low elfutils-0.192-6.el9_6 0.00055 false
CVE-2025-4598 Twistlock CVE Medium systemd-252-51.el9_6.3 0.00053 false
CVE-2025-4598 Anchore CVE Medium systemd-libs-252-51.el9_6.3 0.00053 false
CVE-2025-4598 Anchore CVE Medium systemd-rpm-macros-252-51.el9_6.3 0.00053 false
CVE-2025-4598 Anchore CVE Medium systemd-252-51.el9_6.3 0.00053 false
CVE-2025-4598 Anchore CVE Medium systemd-pam-252-51.el9_6.3 0.00053 false
CVE-2025-7783 Twistlock CVE Critical form-data-4.0.0 See the impact section in the attached GHSA. 0.00052 false
CVE-2025-7783 Twistlock CVE Critical form-data-3.0.1 See the impact section in the attached GHSA. 0.00052 false
CVE-2025-27789 Twistlock CVE Medium @babel/runtime-corejs3-7.20.6 Its only if you are passing untrusted inputs to the second argument of RegExp.prototype.replace, which is a rare thing to do 0.00050 false
CVE-2025-27789 Twistlock CVE Medium @babel/helpers-7.20.6 0.00050 false
CVE-2025-27789 Twistlock CVE Medium @babel/runtime-7.20.6 Its only if you are passing untrusted inputs to the second argument of RegExp.prototype.replace, which is a rare thing to do 0.00050 false
CVE-2024-7531 Anchore CVE Low nss-3.112.0-4.el9_4 0.00050 false
CVE-2024-7531 Anchore CVE Low nss-sysinit-3.112.0-4.el9_4 0.00050 false
CVE-2024-7531 Anchore CVE Low nss-softokn-3.112.0-4.el9_4 0.00050 false
CVE-2024-7531 Anchore CVE Low nspr-4.36.0-4.el9_4 0.00050 false
CVE-2024-7531 Anchore CVE Low nss-util-3.112.0-4.el9_4 0.00050 false
CVE-2024-7531 Anchore CVE Low nss-softokn-freebl-3.112.0-4.el9_4 0.00050 false
CVE-2024-7531 Twistlock CVE Low nss-3.112.0-4.el9_4 0.00050 false
CVE-2023-50495 Anchore CVE Low ncurses-libs-6.2-10.20210508.el9_6.2 0.00050 false
CVE-2023-50495 Anchore CVE Low ncurses-base-6.2-10.20210508.el9_6.2 0.00050 false
CVE-2023-50495 Twistlock CVE Low ncurses-6.2-10.20210508.el9_6.2 0.00050 false
CVE-2022-27943 Anchore CVE Low libstdc++-11.5.0-5.el9_5 0.00050 false
CVE-2022-27943 Twistlock CVE Low gcc-11.5.0-5.el9_5 0.00050 false
CVE-2025-45582 Anchore CVE Medium tar-2:1.34-7.el9 0.00049 false
CVE-2025-45582 Twistlock CVE Medium tar-2:1.34-7.el9 0.00049 false
CVE-2024-29040 Anchore CVE Medium tpm2-tss-3.2.3-1.el9 0.00047 false
CVE-2024-29040 Twistlock CVE Medium tpm2-tss-3.2.3-1.el9 0.00047 false
CVE-2025-27152 Twistlock CVE High axios-1.6.1 0.00045 false
CVE-2024-29041 Twistlock CVE Medium express-4.18.2 When a user of Express performs a redirect using a userprovided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.The main method impacted is res.location but this is also called from within res.redirect. The fix for this involves preparsing the url string with either requirenodeurl.parse or new URL. These are steps you can take on your own before passing the user input string to res.location or res.redirect.More details httpsgithub.comexpressjsexpresssecurityadvisoriesGHSArv95896hc2vc 0.00043 false
CVE-2024-55565 Twistlock CVE Medium nanoid-3.3.4 It is very rare to allow users to define ID size Check that user pass real number 0.00041 false
CVE-2025-30360 Twistlock CVE Medium webpack-dev-server-4.11.1 0.00039 false
CVE-2025-32997 Twistlock CVE Medium http-proxy-middleware-2.0.6 0.00037 false
CVE-2013-0340 Anchore CVE Medium expat-2.5.0-5.el9_6 0.00037 false
CVE-2025-5915 Anchore CVE Low libarchive-3.5.3-6.el9_6 0.00035 false
CVE-2025-5915 Twistlock CVE Low libarchive-3.5.3-6.el9_6 0.00035 false
CVE-2024-43167 Anchore CVE Low unbound-libs-1.16.2-19.el9_6.1 0.00034 false
CVE-2024-43167 Twistlock CVE Low unbound-1.16.2-19.el9_6.1 0.00034 false
CVE-2025-1371 Anchore CVE Low elfutils-default-yama-scope-0.192-6.el9_6 0.00033 false
CVE-2025-1371 Anchore CVE Low elfutils-libelf-0.192-6.el9_6 0.00033 false
CVE-2025-1371 Anchore CVE Low elfutils-libs-0.192-6.el9_6 0.00033 false
CVE-2025-1371 Twistlock CVE Low elfutils-0.192-6.el9_6 0.00033 false
CVE-2025-5916 Anchore CVE Low libarchive-3.5.3-6.el9_6 0.00031 false
CVE-2025-5916 Twistlock CVE Low libarchive-3.5.3-6.el9_6 0.00031 false
CVE-2025-32996 Twistlock CVE Medium http-proxy-middleware-2.0.6 0.00030 false
CVE-2025-6170 Anchore CVE Low libxml2-2.9.13-12.el9_6 0.00029 false
CVE-2025-6170 Twistlock CVE Low libxml2-2.9.13-12.el9_6 0.00029 false
CVE-2025-58754 Twistlock CVE Low axios-1.6.1 0.00028 false
CVE-2025-9230 Anchore CVE Medium openssl-libs-1:3.2.2-6.el9_5.1 0.00026 false
CVE-2025-9230 Anchore CVE Medium openssl-1:3.2.2-6.el9_5.1 0.00026 false
CVE-2025-9230 Twistlock CVE Medium openssl-1:3.2.2-6.el9_5.1 0.00026 false
CVE-2025-5917 Anchore CVE Low libarchive-3.5.3-6.el9_6 0.00026 false
CVE-2025-5917 Twistlock CVE Low libarchive-3.5.3-6.el9_6 0.00026 false
CVE-2025-5889 Twistlock CVE Low brace-expansion-1.1.11 Im mirroring the CVE severity assessment here. Sanitize strings being passed to the function so that they dont contain many , in a row. 0.00026 false
CVE-2025-5889 Twistlock CVE Low brace-expansion-2.0.1 Im mirroring the CVE severity assessment here. Sanitize strings being passed to the function so that they dont contain many , in a row. 0.00026 false
CVE-2025-5245 Anchore CVE Medium gdb-gdbserver-14.2-4.1.el9_6 0.00026 false
CVE-2025-5245 Twistlock CVE Medium gdb-14.2-4.1.el9_6 0.00026 false
CVE-2024-57360 Anchore CVE Low gdb-gdbserver-14.2-4.1.el9_6 0.00026 false
CVE-2024-57360 Twistlock CVE Low gdb-14.2-4.1.el9_6 0.00026 false
CVE-2025-9714 Anchore CVE Medium libxml2-2.9.13-12.el9_6 0.00025 false
CVE-2025-9714 Twistlock CVE Medium libxml2-2.9.13-12.el9_6 0.00025 false
CVE-2025-5918 Anchore CVE Low libarchive-3.5.3-6.el9_6 0.00025 false
CVE-2025-5918 Twistlock CVE Low libarchive-3.5.3-6.el9_6 0.00025 false
CVE-2025-5278 Anchore CVE Medium coreutils-single-8.32-39.el9 0.00025 false
CVE-2025-5278 Twistlock CVE Medium coreutils-8.32-39.el9 0.00025 false
CVE-2025-9232 Anchore CVE Low openssl-1:3.2.2-6.el9_5.1 0.00023 false
CVE-2025-9232 Anchore CVE Low openssl-libs-1:3.2.2-6.el9_5.1 0.00023 false
CVE-2025-9232 Twistlock CVE Low openssl-1:3.2.2-6.el9_5.1 0.00023 false
CVE-2025-50181 Anchore CVE Medium python3-pip-wheel-21.3.1-1.el9 0.00023 false
CVE-2025-50181 Twistlock CVE Medium python-pip-21.3.1-1.el9 0.00023 false
CVE-2025-11495 Twistlock CVE Low gdb-14.2-4.1.el9_6 0.00020 false
CVE-2025-11495 Anchore CVE Low gdb-gdbserver-14.2-4.1.el9_6 0.00020 false
CVE-2025-11494 Twistlock CVE Low gdb-14.2-4.1.el9_6 0.00020 false
CVE-2025-11494 Anchore CVE Low gdb-gdbserver-14.2-4.1.el9_6 0.00020 false
CVE-2025-11414 Twistlock CVE Low gdb-14.2-4.1.el9_6 0.00020 false
CVE-2025-11414 Anchore CVE Low gdb-gdbserver-14.2-4.1.el9_6 0.00020 false
CVE-2025-11413 Twistlock CVE Low gdb-14.2-4.1.el9_6 0.00020 false
CVE-2025-11413 Anchore CVE Low gdb-gdbserver-14.2-4.1.el9_6 0.00020 false
CVE-2025-11412 Twistlock CVE Low gdb-14.2-4.1.el9_6 0.00020 false
CVE-2025-11412 Anchore CVE Low gdb-gdbserver-14.2-4.1.el9_6 0.00020 false
CVE-2025-11083 Twistlock CVE Medium gdb-14.2-4.1.el9_6 0.00020 false
CVE-2025-11083 Anchore CVE Medium gdb-gdbserver-14.2-4.1.el9_6 0.00020 false
CVE-2025-11081 Twistlock CVE Medium gdb-14.2-4.1.el9_6 0.00020 false
CVE-2025-11081 Anchore CVE Medium gdb-gdbserver-14.2-4.1.el9_6 0.00020 false
CVE-2025-11082 Twistlock CVE Medium gdb-14.2-4.1.el9_6 0.00018 false
CVE-2025-11082 Anchore CVE Medium gdb-gdbserver-14.2-4.1.el9_6 0.00018 false
CVE-2024-0232 Anchore CVE Low sqlite-libs-3.34.1-8.el9_6 0.00018 false
CVE-2024-0232 Twistlock CVE Low sqlite-3.34.1-8.el9_6 0.00018 false
CVE-2025-3198 Anchore CVE Low gdb-gdbserver-14.2-4.1.el9_6 0.00016 false
CVE-2025-3198 Twistlock CVE Low gdb-14.2-4.1.el9_6 0.00016 false
CVE-2025-50182 Anchore CVE Medium python3-pip-wheel-21.3.1-1.el9 0.00014 false
CVE-2025-50182 Twistlock CVE Medium python-pip-21.3.1-1.el9 0.00014 false
CVE-2024-25260 Anchore CVE Low elfutils-libelf-0.192-6.el9_6 0.00014 false
CVE-2024-25260 Anchore CVE Low elfutils-default-yama-scope-0.192-6.el9_6 0.00014 false
CVE-2024-25260 Anchore CVE Low elfutils-libs-0.192-6.el9_6 0.00014 false
CVE-2024-25260 Twistlock CVE Low elfutils-0.192-6.el9_6 0.00014 false
CVE-2025-4516 Anchore CVE Medium python3-libs-3.9.21-2.el9_6.2 0.00013 false
CVE-2025-4516 Anchore CVE Medium python3-3.9.21-2.el9_6.2 0.00013 false
CVE-2025-4516 Twistlock CVE Medium python3.9-3.9.21-2.el9_6.2 0.00013 false
CVE-2025-11840 Twistlock CVE Low gdb-14.2-4.1.el9_6 0.00013 false
CVE-2025-11840 Anchore CVE Low gdb-gdbserver-14.2-4.1.el9_6 0.00013 false
CVE-2025-11839 Twistlock CVE Low gdb-14.2-4.1.el9_6 0.00013 false
CVE-2025-11839 Anchore CVE Low gdb-gdbserver-14.2-4.1.el9_6 0.00013 false
CVE-2023-30571 Anchore CVE Medium libarchive-3.5.3-6.el9_6 0.00013 false
CVE-2023-30571 Twistlock CVE Medium libarchive-3.5.3-6.el9_6 0.00013 false
CVE-2022-47011 Anchore CVE Low gdb-gdbserver-14.2-4.1.el9_6 0.00009 false
CVE-2022-47011 Twistlock CVE Low gdb-14.2-4.1.el9_6 0.00009 false
CVE-2022-47010 Anchore CVE Low gdb-gdbserver-14.2-4.1.el9_6 0.00009 false
CVE-2022-47010 Twistlock CVE Low gdb-14.2-4.1.el9_6 0.00009 false
CVE-2022-47007 Anchore CVE Low gdb-gdbserver-14.2-4.1.el9_6 0.00009 false
CVE-2022-47007 Twistlock CVE Low gdb-14.2-4.1.el9_6 0.00009 false
CVE-2025-7339 Twistlock CVE Low on-headers-1.0.2 0.00006 false
CVE-2025-62813 Anchore CVE Medium lz4-libs-1.9.3-5.el9 N/A false
CVE-2025-60753 Anchore CVE Medium libarchive-3.5.3-6.el9_6 N/A false
CVE-2025-6075 Anchore CVE Low python3-libs-3.9.21-2.el9_6.2 N/A false
CVE-2025-6075 Anchore CVE Low python3-3.9.21-2.el9_6.2 N/A false
CVE-2025-52099 Twistlock CVE Medium sqlite-3.34.1-8.el9_6 N/A false
CVE-2025-52099 Anchore CVE Medium sqlite-libs-3.34.1-8.el9_6 N/A false
CVE-2025-11411 Twistlock CVE Medium unbound-1.16.2-19.el9_6.1 N/A false
CVE-2025-11411 Anchore CVE Medium unbound-libs-1.16.2-19.el9_6.1 N/A false
CVE-2023-2222 Anchore CVE Low gdb-gdbserver-14.2-4.1.el9_6 N/A false
CVE-2022-3638 Anchore CVE Low nginx-core-2:1.20.1-22.el9_6.3 N/A false
CVE-2022-3638 Anchore CVE Low nginx-filesystem-2:1.20.1-22.el9_6.3 N/A false
CVE-2022-3638 Anchore CVE Low nginx-2:1.20.1-22.el9_6.3 N/A false
e07d84b039b0e6fcea42fbda1d378647 Anchore Compliance Critical N/A N/A
b18c88ddeab24abfb92ae2ccddb0b022 Anchore Compliance Low N/A N/A
addbb93c22e9b0988b8b40392a4538cb Anchore Compliance Low N/A N/A
GHSA-wr3j-pwj9-hqq6 Anchore CVE High webpack-dev-middleware-5.3.3 N/A N/A
GHSA-v6h2-p8h4-qcjw Anchore CVE Low brace-expansion-2.0.1 N/A N/A
GHSA-v6h2-p8h4-qcjw Anchore CVE Low brace-expansion-1.1.11 N/A N/A
GHSA-rv95-896h-c2vc Anchore CVE Medium express-4.18.2 N/A N/A
GHSA-rhx6-c78j-4q9w Anchore CVE High path-to-regexp-0.1.7 N/A N/A
GHSA-qwcr-r2fm-qrc7 Anchore CVE High body-parser-1.20.1 N/A N/A
GHSA-qw6h-vgh9-j6wx Anchore CVE Low express-4.18.2 N/A N/A
GHSA-pxg6-pf52-xh8x Anchore CVE Low cookie-0.5.0 N/A N/A
GHSA-mwcw-c2x4-8c55 Anchore CVE Medium nanoid-3.3.4 N/A N/A
GHSA-m6fv-jmcg-4jfg Anchore CVE Low send-0.18.0 N/A N/A
GHSA-jr5f-v2jv-69x6 Anchore CVE High axios-1.6.1 N/A N/A
GHSA-grv7-fg5c-xmjg Anchore CVE High braces-3.0.2 N/A N/A
GHSA-ghr5-ch3p-vcr6 Anchore CVE Medium ejs-3.1.8 N/A N/A
GHSA-gcx4-mw62-g8wm Anchore CVE High rollup-2.79.1 N/A N/A
GHSA-fjxv-7rqg-78g4 Anchore CVE Critical form-data-4.0.0 N/A N/A
GHSA-fjxv-7rqg-78g4 Anchore CVE Critical form-data-3.0.1 N/A N/A
GHSA-cxjh-pqwp-8mfp Anchore CVE Medium follow-redirects-1.15.4 N/A N/A
GHSA-cm22-4g7w-348p Anchore CVE Low serve-static-1.15.0 N/A N/A
GHSA-c7qv-q95q-8v27 Anchore CVE High http-proxy-middleware-2.0.6 N/A N/A
GHSA-9wv6-86v2-598j Anchore CVE High path-to-regexp-1.8.0 N/A N/A
GHSA-9wv6-86v2-598j Anchore CVE High path-to-regexp-0.1.7 N/A N/A
GHSA-9jgg-88mc-972h Anchore CVE Medium webpack-dev-server-4.11.1 N/A N/A
GHSA-9gqv-wp59-fq42 Anchore CVE Medium http-proxy-middleware-2.0.6 N/A N/A
GHSA-968p-4wvh-cqc8 Anchore CVE Medium @babel/runtime-7.20.6 N/A N/A
GHSA-968p-4wvh-cqc8 Anchore CVE Medium @babel/helpers-7.20.6 N/A N/A
GHSA-968p-4wvh-cqc8 Anchore CVE Medium @babel/runtime-corejs3-7.20.6 N/A N/A
GHSA-952p-6rrq-rcjv Anchore CVE Medium micromatch-4.0.5 N/A N/A
GHSA-8hc4-vh64-cxmj Anchore CVE High axios-1.6.1 N/A N/A
GHSA-7fh5-64p2-3v2j Anchore CVE Medium postcss-7.0.39 N/A N/A
GHSA-7fh5-64p2-3v2j Anchore CVE Medium postcss-8.4.19 N/A N/A
GHSA-76p7-773f-r4q5 Anchore CVE Medium serialize-javascript-6.0.0 N/A N/A
GHSA-76c9-3jph-rj3q Anchore CVE Low on-headers-1.0.2 N/A N/A
GHSA-4www-5p9h-95mh Anchore CVE Medium http-proxy-middleware-2.0.6 N/A N/A
GHSA-4vvj-4cpr-p986 Anchore CVE Medium webpack-5.76.1 N/A N/A
GHSA-4v9v-hfq4-rm2v Anchore CVE Medium webpack-dev-server-4.11.1 N/A N/A
GHSA-4hjh-wcwx-xvwj Anchore CVE High axios-1.6.1 N/A N/A
GHSA-3xgq-45jj-v275 Anchore CVE High cross-spawn-7.0.3 N/A N/A
GHSA-3h5v-q93c-6h6q Anchore CVE High ws-7.5.9 N/A N/A
GHSA-3h5v-q93c-6h6q Anchore CVE High ws-8.11.0 N/A N/A
CCE-87567-4 OSCAP Compliance Medium N/A N/A
CCE-86570-9 OSCAP Compliance Medium N/A N/A
CCE-86474-4 OSCAP Compliance Medium N/A N/A
CCE-86208-6 OSCAP Compliance Medium N/A N/A
CCE-83623-9 OSCAP Compliance Medium N/A N/A
CCE-83450-7 OSCAP Compliance High N/A N/A
6d292b9d3b357caa519a3d781baf45a5 Anchore Compliance Critical N/A N/A

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=phylum/ui&tag=1.17.5&branch=master

Tasks

Contributor:

  • Apply the StatusReview label to this issue for a merge request review and wait for feedback

OR

  • Provide justifications for findings in the VAT (docs)
  • Apply the StatusVerification label to this issue for a VAT justifications review and wait for feedback

Iron Bank:

  • Review findings and justifications

Note: If the above process is rejected for any reason, the Review or Verification label will be removed and the issue will be sent back to To-Do. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Review or Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited by CHORE_TOKEN
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI