Security Advisories

Searchable Security Advisories with remediation status for all CAST products and extensions.

How CAST manages vulnerabilities

The Common Vulnerabilities and Exposures (CVE) system is used to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. CAST actively monitors CVEs across all products and publishes a full security advisory for every release.

Continuous monitoring

Every CAST container image is scanned daily using Trivyexternal link, Docker Scoutexternal link, Grypeexternal link, and CAST Highlightexternal link (which deep-scans nested archives such as JARs for OSS CVEs and license issues). When a new HIGH or CRITICAL vulnerability is detected:

  • A JIRA ticket is automatically created and assigned to the component owner.
  • The security team reviews the finding and assesses its real-world impact on CAST deployments.
  • A VEX status is published in this page, documenting the assessment and the planned remediation.

Release gate

Before any production release, a full dependency scan is mandatory. Deployments are automatically blocked if an unmitigated CRITICAL or HIGH vulnerability is detected. When a vulnerable dependency cannot be immediately replaced (for example, it is waiting on an upstream vendor fix), a risk assessment is documented and an exception is granted through a formal change management process.

Not all CVEs require an immediate fix

A CVE with a HIGH severity score does not always represent an urgent risk in practice. CAST assesses each finding in context:

  • OS base image packages: CAST container images are built on Docker Hub hardened base imagesexternal link. When a CVE affects a system package in that base image, the fix depends on Docker Hub publishing an updated image. CAST integrates the update as soon as it becomes available.
  • Upstream vendor dependencies (e.g. Neo4j, Keycloak): the fix must come from the upstream project. CAST tracks the upstream release and qualifies the upgrade before shipping it.
  • Not reachable in practice: some CVEs affect a code path that is never exercised in CAST’s deployment (e.g. a build-time tool not present at runtime, or a network feature disabled in our configuration). These are documented as Not Affected with a detailed justification.

The table below reflects this full transparency: every tracked CVE, its current status, and the reasoning behind it.


Use the filters to search by CVE ID, package, product, version, platform, or severity. Any filtered view can be bookmarked or shared via its URL.

· Grouped by: fixed in release · detected after · pre-existing · severity ↓ · date ↓
Product / Service CVE Published / Updated Severity Affected Releases Status (latest) Fixed In
Loading…

VEX status reference

Status Meaning
Fixed A patched version has shipped in the release listed in the “Fixed In” column.
Not Affected The vulnerable code path is not reachable in our deployment. The justification explains why — aligned with CISA VEX justification labelsexternal link.
Affected The vulnerability is confirmed exploitable in this product. An action statement specifying the required remediation is included in the VEX attestation.
False Positive The scanner reports the CVE but the installed version already includes the fix, or a PURL classifier mismatch triggers the finding.
Under Review The vulnerability is confirmed present. A fix is being assessed or developed.
Waiting for Upstream Fix The fix requires an upstream component upgrade (e.g. Neo4j, Keycloak base image) not yet available or not yet qualified.
Waiting for OS Update The CVE is in a system package (e.g. libc, openssl) managed by the OS vendor (Debian/Ubuntu). No fix is available from the OS vendor yet. CAST integrates the update as soon as the base image is updated.
Fix Incoming A fix exists in an upstream version that CAST has not yet shipped. The “Fixed In” column shows the target release.

  • Compliance FAQ — FIPS, authentication, data protection, and secure development lifecycle details
  • Secure Development — third-party component policy, malware scanning, and integrity verification

Per-product security fix release notes: