Security Report - eizen-vip-gateway-api

🔴 Vulnerabilities (2)
Severity	CVE ID	Package	Installed	Fixed In	Description
HIGH	CVE-2026-32597	PyJWT	2.11.0	2.12.0	pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
MEDIUM	CVE-2026-25645	requests	2.32.5	2.33.0	requests: Requests: Security bypass due to predictable temporary file creation
🔑 Secrets (0)
Type	File	Line	Match
✅ No secrets found
⚙️ Misconfigurations (1)
Severity	ID	Check	File	Message
HIGH	DS002	Image user should not be 'root'	Dockerfile	Specify at least 1 USER command in Dockerfile with non-root user as argument
📄 Raw JSON Report (click to expand)
{
  "SchemaVersion": 2,
  "CreatedAt": "2026-04-13T06:33:25.949330896Z",
  "ArtifactName": "/src",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "requirements.txt",
      "Class": "lang-pkgs",
      "Type": "pip",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2026-32597",
          "PkgName": "PyJWT",
          "PkgIdentifier": {
            "PURL": "pkg:pypi/pyjwt@2.11.0"
          },
          "InstalledVersion": "2.11.0",
          "FixedVersion": "2.12.0",
          "Status": "fixed",
          "Layer": {},
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-32597",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory pip",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
          },
          "Title": "pyjwt: PyJWT accepts unknown `crit` header extensions (RFC 7515 \u00a74.1.11 MUST violation)",
          "Description": "PyJWT is a JSON Web Token implementation in Python. Prior to 2.12.0, PyJWT does not validate the crit (Critical) Header Parameter defined in RFC 7515 \u00a74.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC. This vulnerability is fixed in 2.12.0.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-345",
            "CWE-863"
          ],
          "VendorSeverity": {
            "amazon": 2,
            "ghsa": 3,
            "photon": 3,
            "redhat": 3,
            "ubuntu": 2
          },
          "CVSS": {
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "V3Score": 7.5
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "V3Score": 7.5
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2026-32597",
            "https://github.com/jpadilla/pyjwt",
            "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f",
            "https://nvd.nist.gov/vuln/detail/CVE-2026-32597",
            "https://ubuntu.com/security/notices/USN-8133-1",
            "https://www.cve.org/CVERecord?id=CVE-2026-32597"
          ],
          "PublishedDate": "2026-03-13T19:55:09.5Z",
          "LastModifiedDate": "2026-03-19T13:30:29.217Z"
        },
        {
          "VulnerabilityID": "CVE-2026-25645",
          "PkgName": "requests",
          "PkgIdentifier": {
            "PURL": "pkg:pypi/requests@2.32.5"
          },
          "InstalledVersion": "2.32.5",
          "FixedVersion": "2.33.0",
          "Status": "fixed",
          "Layer": {},
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2026-25645",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory pip",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
          },
          "Title": "requests: Requests: Security bypass due to predictable temporary file creation",
          "Description": "Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Standard usage of the Requests library is not affected by this vulnerability. Only applications that call `extract_zipped_paths()` directly are impacted. Starting in version 2.33.0, the library extracts files to a non-deterministic location. If developers are unable to upgrade, they can set `TMPDIR` in their environment to a directory with restricted write access.",
          "Severity": "MEDIUM",
          "CweIDs": [
            "CWE-377"
          ],
          "VendorSeverity": {
            "azure": 2,
            "ghsa": 2,
            "nvd": 2,
            "photon": 2,
            "redhat": 2
          },
          "CVSS": {
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N",
              "V3Score": 4.4
            },
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
              "V3Score": 5.5
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
              "V3Score": 4.7
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2026-25645",
            "https://github.com/psf/requests",
            "https://github.com/psf/requests/commit/66d21cb07bd6255b1280291c4fafb71803cdb3b7",
            "https://github.com/psf/requests/releases/tag/v2.33.0",
            "https://github.com/psf/requests/security/advisories/GHSA-gc5v-m9x4-r6x2",
            "https://nvd.nist.gov/vuln/detail/CVE-2026-25645",
            "https://www.cve.org/CVERecord?id=CVE-2026-25645"
          ],
          "PublishedDate": "2026-03-25T17:16:52.97Z",
          "LastModifiedDate": "2026-03-30T14:23:16.127Z"
        }
      ]
    },
    {
      "Target": "Dockerfile",
      "Class": "config",
      "Type": "dockerfile",
      "MisconfSummary": {
        "Successes": 23,
        "Failures": 1,
        "Exceptions": 0
      },
      "Misconfigurations": [
        {
          "Type": "Dockerfile Security Check",
          "ID": "DS002",
          "AVDID": "AVD-DS-0002",
          "Title": "Image user should not be 'root'",
          "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.",
          "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument",
          "Namespace": "builtin.dockerfile.DS002",
          "Query": "data.builtin.dockerfile.DS002.deny",
          "Resolution": "Add 'USER <non root user name>' line to the Dockerfile",
          "Severity": "HIGH",
          "PrimaryURL": "https://avd.aquasec.com/misconfig/ds002",
          "References": [
            "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/",
            "https://avd.aquasec.com/misconfig/ds002"
          ],
          "Status": "FAIL",
          "Layer": {},
          "CauseMetadata": {
            "Provider": "Dockerfile",
            "Service": "general",
            "Code": {
              "Lines": null
            }
          }
        }
      ]
    }
  ]
}
🛡️ Security Scan Report

0

2

1

0

0

1
