Security Advisories
How CAST manages vulnerabilities
The Common Vulnerabilities and Exposures (CVE) system is used to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. CAST actively monitors CVEs across all products and publishes a full security advisory for every release.
Continuous monitoring
Every CAST container image is scanned daily using Trivy , Docker Scout , Grype , and CAST Highlight (which deep-scans nested archives such as JARs for OSS CVEs and license issues). When a new HIGH or CRITICAL vulnerability is detected:
- A JIRA ticket is automatically created and assigned to the component owner.
- The security team reviews the finding and assesses its real-world impact on CAST deployments.
- A VEX status is published in this page, documenting the assessment and the planned remediation.
Release gate
Before any production release, a full dependency scan is mandatory. Deployments are automatically blocked if an unmitigated CRITICAL or HIGH vulnerability is detected. When a vulnerable dependency cannot be immediately replaced (for example, it is waiting on an upstream vendor fix), a risk assessment is documented and an exception is granted through a formal change management process.
Not all CVEs require an immediate fix
A CVE with a HIGH severity score does not always represent an urgent risk in practice. CAST assesses each finding in context:
- OS base image packages: CAST container images are built on Docker Hub hardened base images . When a CVE affects a system package in that base image, the fix depends on Docker Hub publishing an updated image. CAST integrates the update as soon as it becomes available.
- Upstream vendor dependencies (e.g. Neo4j, Keycloak): the fix must come from the upstream project. CAST tracks the upstream release and qualifies the upgrade before shipping it.
- Not reachable in practice: some CVEs affect a code path that is never exercised in CAST’s deployment (e.g. a build-time tool not present at runtime, or a network feature disabled in our configuration). These are documented as Not Affected with a detailed justification.
The table below reflects this full transparency: every tracked CVE, its current status, and the reasoning behind it.
Use the filters to search by CVE ID, package, product, version, platform, or severity. Any filtered view can be bookmarked or shared via its URL.
| Product / Service | CVE | Published / Updated | Severity | Affected Releases | Status (latest) | Fixed In | |
|---|---|---|---|---|---|---|---|
| Loading… | |||||||
VEX attestations are published to Docker Hub alongside every CAST image as OCI referrers (application/vnd.openvex). Download and pass to your scanner with the --vex flag:
# 1. Discover the VEX referrer digest (requires ORAS — https://oras.land)
DIGEST=$(oras discover castimaging/sso-service:3.6.4 \
--artifact-type application/vnd.openvex \
--format json | python3 -c "import json,sys; print(json.load(sys.stdin)['manifests'][0]['digest'])")
# 2. Pull the VEX blob by digest
oras pull "castimaging/sso-service:3.6.4@${DIGEST}" --output vex.json
# 3. Pass to Trivy (suppresses confirmed not-affected findings)
trivy image --vex vex.json castimaging/sso-service:3.6.4
VEX status reference
| Status | Meaning |
|---|---|
| Fixed | A patched version has shipped in the release listed in the “Fixed In” column. |
| Not Affected | The vulnerable code path is not reachable in our deployment. The justification explains why — aligned with CISA VEX justification labels . |
| Affected | The vulnerability is confirmed exploitable in this product. An action statement specifying the required remediation is included in the VEX attestation. |
| False Positive | The scanner reports the CVE but the installed version already includes the fix, or a PURL classifier mismatch triggers the finding. |
| Under Review | The vulnerability is confirmed present. A fix is being assessed or developed. |
| Waiting for Upstream Fix | The fix requires an upstream component upgrade (e.g. Neo4j, Keycloak base image) not yet available or not yet qualified. |
| Waiting for OS Update | The CVE is in a system package (e.g. libc, openssl) managed by the OS vendor (Debian/Ubuntu). No fix is available from the OS vendor yet. CAST integrates the update as soon as the base image is updated. |
| Fix Incoming | A fix exists in an upstream version that CAST has not yet shipped. The “Fixed In” column shows the target release. |
CVE IDs are loaded client-side and are not indexed by the site-wide search engine. Use the search box in the table above to find a specific CVE ID.
Related pages
- Compliance FAQ — FIPS, authentication, data protection, and secure development lifecycle details
- Secure Development — third-party component policy, malware scanning, and integrity verification
Per-product security fix release notes: