chore(findings): via-science/tac/bigchaindb
Summary
via-science/tac/bigchaindb has 24 new findings discovered during continuous monitoring.
Layer: opensource/python:3.11.12-alpine is EOL, please update if possible
More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=via-science/tac/bigchaindb&tag=3.3.51&branch=master
EPSS (Exploit Prediction Scoring System) provides an estimate of the likelihood that a vulnerability will be exploited in the wild.
KEV (Known Exploited Vulnerabilities) indicates whether a vulnerability is actively being exploited according to CISA.
| id | source | severity | package | impact | workaround | epss_score | kev |
|---|---|---|---|---|---|---|---|
| CVE-2025-47273 | Twistlock CVE | High | setuptools-78.1.0 | 0.00162 | false | ||
| CVE-2024-6839 | Twistlock CVE | Medium | flask-cors-5.0.0 | 0.00124 | false | ||
| CVE-2025-8194 | Anchore CVE | High | python-3.11.12 | 0.00096 | false | ||
| CVE-2025-8194 | Anchore CVE | High | python-3.11.12 | 0.00096 | false | ||
| CVE-2025-6069 | Anchore CVE | Medium | python-3.11.12 | 0.00090 | false | ||
| CVE-2025-6069 | Anchore CVE | Medium | python-3.11.12 | 0.00090 | false | ||
| CVE-2024-6866 | Twistlock CVE | Medium | flask-cors-5.0.0 | 0.00082 | false | ||
| CVE-2024-47081 | Twistlock CVE | Medium | requests-2.32.3 | 0.00078 | false | ||
| CVE-2024-6844 | Twistlock CVE | Medium | flask-cors-5.0.0 | 0.00057 | false | ||
| CVE-2025-4575 | Twistlock CVE | Low | openssl-3.3.4-r0 | 0.00030 | false | ||
| CVE-2025-4575 | Anchore CVE | Medium | libssl3-3.3.4-r0 | 0.00030 | false | ||
| CVE-2025-4575 | Anchore CVE | Medium | libcrypto3-3.3.4-r0 | 0.00030 | false | ||
| CVE-2025-4575 | Anchore CVE | Medium | openssl-3.3.4-r0 | 0.00030 | false | ||
| CVE-2025-4565 | Twistlock CVE | High | protobuf-4.25.3 | 0.00025 | false | ||
| CVE-2025-50181 | Twistlock CVE | Medium | urllib3-2.3.0 | Most users dont disable redirects on the PoolManager. | Set redirectsFalseredirects0 on the .request call instead of on the toplevel urllib3.PoolManager | 0.00015 | false |
| CVE-2025-50182 | Twistlock CVE | Medium | urllib3-2.3.0 | Pyodide is extremely rare configuration for users in production. | 0.00013 | false | |
| GHSA-pq67-6m6q-mj2v | Anchore CVE | Medium | urllib3-2.3.0 | N/A | N/A | ||
| GHSA-9hjg-9r4m-mvj7 | Anchore CVE | Medium | requests-2.32.3 | N/A | N/A | ||
| GHSA-8vgw-p6qm-5gr7 | Anchore CVE | Medium | flask-cors-5.0.0 | N/A | N/A | ||
| GHSA-8qvm-5x2c-j2w7 | Anchore CVE | High | protobuf-4.25.3 | N/A | N/A | ||
| GHSA-7rxf-gvfg-47g4 | Anchore CVE | Medium | flask-cors-5.0.0 | N/A | N/A | ||
| GHSA-5rjg-fvgr-3xxf | Anchore CVE | High | setuptools-78.1.0 | N/A | N/A | ||
| GHSA-48p4-8xcf-vxj5 | Anchore CVE | Medium | urllib3-2.3.0 | N/A | N/A | ||
| GHSA-43qf-4rqw-9q2g | Anchore CVE | Medium | flask-cors-5.0.0 | N/A | N/A |
More information can be found in the VAT located here: https://vat.dso.mil/vat/image?imageName=via-science/tac/bigchaindb&tag=3.3.51&branch=master
Tasks
Contributor:
-
Apply the StatusReview label to this issue for a merge request reviewand wait for feedback
OR
-
Provide justifications for findings in the VAT (docs) -
Apply the StatusVerification label to this issue for a VAT justifications reviewand wait for feedback
Iron Bank:
-
Review findings and justifications
Note: If the above process is rejected for any reason, the
RevieworVerificationlabel will be removed and the issue will be sent back toTo-Do. Any comments will be listed in this issue for you to address. Once they have been addressed, you must re-add theRevieworVerificationlabel.
Questions?
Contact the Iron Bank team by commenting on this issue with your questions or concerns. If you do not receive a response, add /cc @ironbank-notifications/onboarding.
Additionally, Iron Bank hosts an AMA working session every Wednesday from 1630-1730EST to answer questions.