Security Advisories
The Common Vulnerabilities and Exposures (CVE) system is used to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. CAST monitors all CVEs affecting its products and extensions and publishes a security advisory for each release documenting which CVEs are fixed, which are not applicable, and which are pending resolution with an estimated fix timeline.
Use the filters to search by CVE ID, package, product, version, platform, or severity. Any filtered view can be bookmarked or shared via its URL.
| Product / Service | CVE | Published / Updated | Severity | Affected Releases | Status (latest) | Fixed In | |
|---|---|---|---|---|---|---|---|
| Loading… | |||||||
VEX attestations are published to Docker Hub alongside every CAST image. Scanners that support registry attestations consume them automatically. For other tools, extract the VEX file directly from Docker Hub using the Docker Scout CLI — no file download required.
# Trivy — automatic
trivy image castimaging/neo4j:3.6.3
# Docker Scout — automatic
docker scout cves castimaging/neo4j:3.6.3
# Other scanners — extract first, then pass to your tool
docker scout attestation inspect \
--predicate-type https://openvex.dev/ns/v0.2.0 \
castimaging/neo4j:3.6.3 > vex.json
VEX status reference
| Status | Meaning |
|---|---|
| Fixed | A patched version has shipped in the release listed in the “Fixed In” column. |
| Not Affected | The vulnerable code path is not reachable in our deployment. The justification explains why — aligned with CISA VEX justification labels . |
| False Positive | The scanner reports the CVE but the installed version already includes the fix, or a PURL classifier mismatch triggers the finding. |
| Under Investigation | The vulnerability is confirmed present. A fix is being assessed or developed. |
| Vendor Dependent | The fix requires an upstream component upgrade (e.g. Neo4j, Keycloak base image) not yet available or not yet qualified. |
| OS Vendor | The CVE is in a system package (e.g. a Debian library). The OS vendor has not yet issued a patch or has marked it NODSA (no immediate fix required). |
CVE IDs are loaded client-side and are not indexed by the site-wide search engine. Use the search box in the table above to find a specific CVE ID.
Related pages
- Compliance FAQ — secure development lifecycle, FIPS, authentication, and data protection
- Development Life-cycle — third-party component update policy, malware scanning, and release security practices
Per-product security fix release notes: