Security Vulnerabilities

[rphsantos]

Describe the bug
Image quay.io/cephcsi/cephcsi:v3.16.2 has some CVEs that needs attention.

Description
Following a security check, vulnerabilities were found in some packages, related to high-impact CVEs:

• babel:2.9.1-2.el9 CVE-2025-9566
• brotli:1.0.9-9.el9 CVE-2025-6176
• cryptography:36.0.1 CVE-2023-0286, CVE-2026-26007
• crypto/x509:1.25.0 CVE-2025-61729
• gnupg2:2.3.3-5.el9 CVE-2025-68973
• google.golang.org/grpc:v1.78.0 CVE-2026-33186
• grpcio:1.46.7 CVE-2023-33953
• libarchive:3.5.3-6.el9 CVE-2026-4111, CVE-2026-4424, CVE-2025-5914
• libcomps:0.1.18-1.el9 CVE-2025-6176, CVE-2026-1961, CVE-2026-1530, CVE-2026-1531, CVE-2026-1207, CVE-2026-1287, CVE-2026-1312
• libxslt:1.1.34-12.el9 CVE-2024-55549
• net/url:1.25.0 CVE-2025-61726, CVE-2026-25679
• nghttp2:1.43.0-6.el9 CVE-2026-27135
• oath-toolkit:2.6.12-1.el9 CVE-2024-47191, CVE-2023-25577, CVE-2024-34069, CVE-2024-48916
• openssh:9.9p1-4.el9 CVE-2026-3497
• protobuf:3.14.0-17.el9 CVE-2026-0994
• pyasn1:0.4.8 CVE-2026-30922
• pyOpenSSL:21.0.0-1.el9 CVE-2025-9566
• pyparsing:2.4.7-9.el9 CVE-2025-9566
• python3.9:3.9.25-4.el9 CVE-2026-4519
• python-cachetools:4.2.4-1.el9 CVE-2025-9566
• python-chardet:4.0.0-5.el9 CVE-2025-9566
• python-cheroot:10.0.1-4.el9 CVE-2025-9566
• python-click:8.0.3-1.el9 CVE-2025-9566
• python-flask:1:2.0.3-1.el9.1 CVE-2023-30861, CVE-2025-9566
• python-idna:2.10-7.el9.1 CVE-2025-9566
• python-jaraco-classes:3.2.1-5.el9 CVE-2025-9566
• python-jaraco-packaging:8.2.1-3.el9 CVE-2025-9566
• python-jinja2:2.11.3-8.el9 CVE-2024-56201, CVE-2025-27516, CVE-2025-9566
• python-jmespath:1.0.1-1.el9 CVE-2025-9566
• python-markupsafe:1.1.1-12.el9 CVE-2025-9566
• python-more-itertools:8.12.0-2.el9 CVE-2025-9566
• python-oauthlib:3.1.1-5.el9 CVE-2025-9566
• python-packaging:20.9-5.el9 CVE-2025-9566
• python-prettytable:0.7.2-27.el9 CVE-2025-9566
• python-pyasn1:0.4.8-7.el9 CVE-2026-23490, CVE-2025-9566
• python-pyudev:0.22.0-6.el9 CVE-2025-9566
• python-requests:2.25.1-10.el9 CVE-2025-9566
• python-toml:0.10.2-6.el9 CVE-2025-9566
• python-urllib3:1.26.5-7.el9 CVE-2025-66418, CVE-2025-66471, CVE-2026-21441
• python-werkzeug:2.0.3-3.el9.1 CVE-2023-25577, CVE-2024-34069, CVE-2025-9566
• pytz:2021.1-5.el9 CVE-2025-9566
• samba:0:4.23.5-6.el9 CVE-2025-9640
• thrift:0.15.0-4.el9 CVE-2019-10790
• vim:2:8.2.2637-25.el9 CVE-2026-33412
• xz:5.2.5-8.el9 CVE-2022-1271

[nixpanic]

Image has some CVEs that needs attention.

Please be specific in what image you mean.

Ceph-CSI uses the Ceph container-image as a base, you should probably report it to the build team of the https://github.com/ceph/ceph project.

[rphsantos]

My apologies, I forgot to include the image/tag - the scan was done in this one: quay.io/cephcsi/cephcsi:v3.16.2

I have created a new account to report this to the Ceph project, waiting for it to be approved.

[nixpanic]

Thanks @rphsantos, please leave the link to the Ceph tracker here once you have created it.