UNCLASSIFIED - NO CUI

Skip to content

chore(findings): rancher-federal/rke2/k8s-metrics-server

Summary

rancher-federal/rke2/k8s-metrics-server has 98 new findings discovered during continuous monitoring.

Layer: suse/bci/bci-base:15.5 is EOL, please update if possible

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=rancher-federal/rke2/k8s-metrics-server&tag=v0.6.3-build20230607&branch=master

EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.

KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.

id source severity package impact workaround epss_score kev
CVE-2023-44487 Anchore CVE High stdlib-go1.20.4 0.94474 true
CVE-2023-44487 Twistlock CVE Medium google.golang.org/grpc/internal/transport-v1.50.1 0.94474 true
CVE-2023-44487 Twistlock CVE Medium google.golang.org/grpc-v1.50.1 0.94474 true
CVE-2023-45288 Anchore CVE High stdlib-go1.20.4 0.66635 false
CVE-2023-45288 Twistlock CVE Medium golang.org/x/net/http2-v0.7.0 0.66635 false
CVE-2023-45288 Twistlock CVE Medium net/http-1.20.4 0.66635 false
CVE-2023-47108 Twistlock CVE High go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc-v0.20.0 0.02678 false
CVE-2024-24787 Anchore CVE Medium stdlib-go1.20.4 0.02135 false
CVE-2024-24784 Anchore CVE High stdlib-go1.20.4 0.01498 false
CVE-2023-45142 Twistlock CVE High go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp-v0.20.0 0.00959 false
CVE-2024-24791 Anchore CVE High stdlib-go1.20.4 0.00635 false
CVE-2024-24791 Twistlock CVE Low net/http-1.20.4 0.00635 false
CVE-2024-24783 Anchore CVE Medium stdlib-go1.20.4 0.00445 false
CVE-2024-24783 Twistlock CVE Low crypto/x509-1.20.4 0.00445 false
CVE-2023-45289 Anchore CVE Medium stdlib-go1.20.4 0.00409 false
CVE-2023-45289 Twistlock CVE Low net/http-1.20.4 0.00409 false
CVE-2023-24531 Anchore CVE Critical stdlib-go1.20.4 0.00354 false
CVE-2023-45290 Anchore CVE Medium stdlib-go1.20.4 0.00327 false
CVE-2023-45290 Twistlock CVE Low net/textproto-1.20.4 0.00327 false
CVE-2023-29405 Anchore CVE Critical stdlib-go1.20.4 0.00326 false
CVE-2024-34156 Anchore CVE High stdlib-go1.20.4 0.00268 false
CVE-2024-24785 Anchore CVE Medium stdlib-go1.20.4 0.00246 false
CVE-2024-24785 Twistlock CVE Low html/template-1.20.4 0.00246 false
CVE-2024-24786 Twistlock CVE Medium google.golang.org/protobuf/internal/encoding/json-v1.28.1 0.00238 false
CVE-2024-24786 Twistlock CVE Medium google.golang.org/protobuf/encoding/protojson-v1.28.1 0.00238 false
CVE-2023-29406 Anchore CVE Medium stdlib-go1.20.4 0.00230 false
CVE-2023-29406 Twistlock CVE Medium net/http-1.20.4 0.00230 false
CVE-2023-39325 Anchore CVE High stdlib-go1.20.4 0.00163 false
CVE-2023-39325 Twistlock CVE High net/http-1.20.4 0.00163 false
CVE-2023-39325 Twistlock CVE High golang.org/x/net/http2-v0.7.0 0.00163 false
CVE-2024-45338 Anchore CVE Medium golang.org/x/net-v0.7.0 0.00157 false
CVE-2024-34158 Anchore CVE High stdlib-go1.20.4 0.00147 false
CVE-2023-29402 Anchore CVE Critical stdlib-go1.20.4 0.00124 false
CVE-2023-29409 Anchore CVE Medium stdlib-go1.20.4 0.00112 false
CVE-2023-29409 Twistlock CVE Medium crypto/tls-1.20.4 0.00112 false
CVE-2023-39319 Anchore CVE Medium stdlib-go1.20.4 0.00085 false
CVE-2023-39319 Twistlock CVE Medium html/template-1.20.4 0.00085 false
CVE-2023-39318 Anchore CVE Medium stdlib-go1.20.4 0.00085 false
CVE-2023-39318 Twistlock CVE Medium html/template-1.20.4 0.00085 false
CVE-2023-29404 Anchore CVE Critical stdlib-go1.20.4 0.00083 false
CVE-2024-34155 Anchore CVE Medium stdlib-go1.20.4 0.00073 false
CVE-2024-34155 Twistlock CVE Low go/parser-1.20.4 0.00073 false
CVE-2024-24790 Anchore CVE Critical stdlib-go1.20.4 0.00070 false
CVE-2024-24790 Twistlock CVE Critical net/netip-1.20.4 0.00070 false
CVE-2023-39323 Anchore CVE High stdlib-go1.20.4 0.00060 false
CVE-2024-45336 Anchore CVE Medium stdlib-go1.20.4 0.00055 false
CVE-2024-45336 Twistlock CVE Low net/http-1.20.4 0.00055 false
CVE-2023-45285 Anchore CVE High stdlib-go1.20.4 0.00055 false
CVE-2023-39326 Anchore CVE Medium stdlib-go1.20.4 0.00048 false
CVE-2023-39326 Twistlock CVE Medium net/http/internal-1.20.4 0.00048 false
CVE-2024-45341 Anchore CVE Medium stdlib-go1.20.4 0.00039 false
CVE-2024-45341 Twistlock CVE Low crypto/x509-1.20.4 0.00039 false
CVE-2025-47906 Twistlock CVE Low os/exec-1.20.4 0.00024 false
CVE-2025-47906 Anchore CVE Medium stdlib-go1.20.4 0.00024 false
CVE-2025-22871 Anchore CVE Critical stdlib-go1.20.4 0.00023 false
CVE-2025-22871 Twistlock CVE Low net/http/internal-1.20.4 0.00023 false
CVE-2023-45284 Twistlock CVE Medium path/filepath-1.20.4 0.00022 false
CVE-2025-47907 Anchore CVE High stdlib-go1.20.4 0.00019 false
CVE-2025-4673 Twistlock CVE Low net/http-1.20.4 0.00015 false
CVE-2025-4673 Anchore CVE Medium stdlib-go1.20.4 0.00015 false
CVE-2025-22866 Anchore CVE Medium stdlib-go1.20.4 0.00013 false
CVE-2025-22866 Twistlock CVE Low crypto/internal/nistec-1.20.4 0.00013 false
CVE-2023-29403 Anchore CVE High stdlib-go1.20.4 0.00009 false
CVE-2023-29403 Twistlock CVE High runtime-1.20.4 0.00009 false
CVE-2025-4674 Anchore CVE High stdlib-go1.20.4 0.00006 false
CVE-2024-24789 Anchore CVE Medium stdlib-go1.20.4 0.00006 false
CVE-2025-61725 Anchore CVE High stdlib-go1.20.4 N/A false
CVE-2025-61724 Twistlock CVE Low net/textproto-1.20.4 N/A false
CVE-2025-61724 Anchore CVE Medium stdlib-go1.20.4 N/A false
CVE-2025-61723 Twistlock CVE Low encoding/pem-1.20.4 N/A false
CVE-2025-61723 Anchore CVE High stdlib-go1.20.4 N/A false
CVE-2025-58189 Twistlock CVE Low crypto/tls-1.20.4 N/A false
CVE-2025-58189 Anchore CVE Medium stdlib-go1.20.4 N/A false
CVE-2025-58188 Twistlock CVE Low crypto/x509-1.20.4 N/A false
CVE-2025-58188 Anchore CVE High stdlib-go1.20.4 N/A false
CVE-2025-58187 Twistlock CVE Low crypto/x509-1.20.4 N/A false
CVE-2025-58187 Anchore CVE High stdlib-go1.20.4 N/A false
CVE-2025-58186 Twistlock CVE Low net/http-1.20.4 N/A false
CVE-2025-58186 Anchore CVE Medium stdlib-go1.20.4 N/A false
CVE-2025-58185 Anchore CVE Medium stdlib-go1.20.4 N/A false
CVE-2025-58183 Anchore CVE Medium stdlib-go1.20.4 N/A false
CVE-2025-47912 Twistlock CVE Low net/url-1.20.4 N/A false
CVE-2025-47912 Anchore CVE Medium stdlib-go1.20.4 N/A false
GHSA-vvgc-356p-c3xw Anchore CVE Medium golang.org/x/net-v0.7.0 N/A N/A
GHSA-v778-237x-gjrc Anchore CVE Critical golang.org/x/crypto-v0.6.0 N/A N/A
GHSA-rcjv-mgp8-qvmr Anchore CVE High go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp-v0.20.0 N/A N/A
GHSA-qxp5-gwg8-xv66 Anchore CVE Medium golang.org/x/net-v0.7.0 N/A N/A
GHSA-qppj-fm5r-hxr3 Anchore CVE Medium golang.org/x/net-v0.7.0 N/A N/A
GHSA-m425-mq94-257g Anchore CVE High google.golang.org/grpc-v1.50.1 N/A N/A
GHSA-hcg3-q754-cr77 Anchore CVE High golang.org/x/crypto-v0.6.0 N/A N/A
GHSA-8r3f-844c-mc37 Anchore CVE Medium google.golang.org/protobuf-v1.28.1 N/A N/A
GHSA-6v2p-p543-phr9 Anchore CVE High golang.org/x/oauth2-v0.5.0 N/A N/A
GHSA-4v7x-pqxf-cx7m Anchore CVE Medium golang.org/x/net-v0.7.0 N/A N/A
GHSA-45x7-px36-x8w8 Anchore CVE Medium golang.org/x/crypto-v0.6.0 N/A N/A
GHSA-4374-p667-p6c8 Anchore CVE High golang.org/x/net-v0.7.0 N/A N/A
GHSA-2wrh-6pvc-2jm9 Anchore CVE Medium golang.org/x/net-v0.7.0 N/A N/A
CCE-85755-7 OSCAP Compliance Medium N/A N/A
CCE-85567-6 OSCAP Compliance Medium N/A N/A

More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=rancher-federal/rke2/k8s-metrics-server&tag=v0.6.3-build20230607&branch=master

Tasks

Contributor:

  • Apply the StatusReview label to this issue for a merge request review and wait for feedback

OR

  • Provide justifications for findings in the VAT (docs)
  • Apply the StatusVerification label to this issue for a VAT justifications review and wait for feedback

Iron Bank:

  • Review findings and justifications

Note: If the above process is rejected for any reason, the Review or Verification label will be removed and the issue will be sent back to To-Do. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add the Review or Verification label.

Questions?

Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.

Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.

Edited by CHORE_TOKEN
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI