Security Deep Dive
doris
Security posture and CVE patch evidence from tracked releases.
1 actively-exploited dependency CVE affects 4.1.1.
KEV-listed CVEs are confirmed exploited in the wild — patch urgently.
Versions by Severity
CVEs are attributed to tracked releases published before the patch release.
| Version | Published | C | H | M | L | KEV | Notes |
|---|---|---|---|---|---|---|---|
| 4.1.1 | 2026-05-25 | — | — | — | — | — | |
| 4.1.0 | 2026-04-16 | 3 | 1 | — | — | KEV 4 |
—
|
| 4.0.5 | 2026-03-31 | 3 | 1 | — | — | KEV 4 |
—
|
| 4.0.4-release | 2026-03-11 | 3 | 1 | — | — | KEV 4 |
—
|
| 4.0.3-rc03 | 2026-01-30 | 3 | 1 | — | — | KEV 4 |
—
|
— Signed
— SLSA
— SBOM
✗ Security policy
Monthly cadence · 29d median
Active maintainer
Trust Signals — 2 of 9 Present
Evidence already collected from releases and repository metadata.
2/9
Present
Signed releases
Unknown
Latest release artifact signature
Latest release
—
SLSA provenance
Unknown
Attestation predicate level
Latest release
—
SBOM published
Unknown
GitHub SBOM API
Latest release
—
SECURITY.md
Absent
GitHub repository metadata
Repository policy
Checked: 21d ago
Release cadence: monthly
Present
29d median over recent releases
Release history
Latest release: 9d ago
Maintainer active
Present
Recent commit activity
Repository
Last commit: today
Checksums (SHA256SUMS)
Not active yet
SHA256SUMS or equivalent
Release asset
Latest release: 9d ago
GitHub Actions attestation
Not active yet
actions/attest-build-provenance
Workflow file
Latest release: 9d ago
Signing assets
Not active yet
.sig, .crt, cosign.pub, or similar
Release asset
Latest release: 9d ago
0.5/10
Security Score
Dependency Exposure
119 transitive dependency
CVEs found in the latest SBOM.
6 critical.
Security Score
A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.
epss
0.00 / 0.5
Max EPSS 0.944
freshness
1.00 / 1.0
3d stale
scorecard
2.00 / 4.0
⚠ Estimated — not yet collected
cve health
0.00 / 2.5
⚠ No direct scan — 54c/147h transitive CVEs
patch speed
0.50 / 0.5
⚠ Estimated — no CVE patch history
kev exposure
-1.50 / 1.5
KEV exposure detected
supply chain risk
-1.50 / 10.0
Risk 100.0/100
Score breakdown
schema v2Vulnerability posture
vulnerability posture
0.0
25%
direct cves: clear
cve scan: estimated
Release responsiveness
release responsiveness
10.0
5%
patch speed days: no_history
Dependency exposure
dependency exposure
0.0
10%
supply chain risk: 100.0
transitive cves: 54c/147h
Provenance trust
provenance trust
5.0
40%
scorecard score: estimated
openssf badge: none
Maintainer health
maintainer health
10.0
10%
activity freshness: 3d
Operational risk
operational risk
0.0
10%
kev exposure: detected
epss max: 0.944
How is this calculated?
The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.
Supply Chain Risk
Risk 100.0/100
6
Transitive critical CVEs
1
KEV-transitive CVEs
81%
Dependency freshness
OpenSSF Badge
OpenSSF none
Badge indicates adherence to open-source best practices.
CVE Patch History
Tracks CVEs that were addressed in tagged releases. Shorter gap between disclosure and patch = faster response. EPSS = predicted probability of exploitation in next 30 days (FIRST.org); colored at ≥90%ile and ≥50%ile.
CVEs Patched by Year
Critical
High
Medium
Low
2026
4
| CVE | Severity | EPSS | Disclosed | Fixed in | Days to fix | vs Ecosystem Median | KEV |
|---|---|---|---|---|---|---|---|
| CVE-2021-44228 | CRITICAL | 99%ile | — | 4.1.1 | — | — | KEV |
| CVE-2021-45046 | CRITICAL | 99%ile | — | 4.1.1 | — | — | KEV |
| CVE-2022-22965 | CRITICAL | 99%ile | — | 4.1.1 | — | — | KEV |
| CVE-2023-44487 | HIGH | 99%ile | — | 4.1.1 | — | — | KEV |
KEV = CISA Known Exploited Vulnerabilities catalog — actively exploited in the wild.
Dependency Vulnerabilities
1412 dependencies scanned
View full dependency list →
Scanning the SBOM (Software Bill of Materials) of the latest release for known vulnerabilities in transitive dependencies.
Critical
6
High
35
Medium
44
Low
12
Unknown
22
1 dependency vulnerabilities are in KEV.
CISA confirmed these vulnerabilities are actively exploited. Treat as critical priority.
Critical
6
High
35
Medium
44
Low
12
Unknown
22
| CVE | Severity | KEV | Dependency | Affected version | Cleared in release |
|---|---|---|---|---|---|
| CVE-2018-17190 | critical | — | org.apache.spark:spark-core_2.11 | 2.3.4 | 4.1.1 |
| CVE-2021-37404 | critical | — | org.apache.hadoop:hadoop-common | 2.8.0 | 4.1.1 |
| CVE-2022-25168 | critical | — | org.apache.hadoop:hadoop-common | 2.8.0 | 4.1.1 |
| CVE-2022-26612 | critical | — | org.apache.hadoop:hadoop-common | 2.8.0 | 4.1.1 |
| CVE-2024-45337 | critical | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2026-33186 | critical | — | google.golang.org/grpc | 1.41.0 | 4.1.1 |
| CVE-2017-7669 | high | — | org.apache.hadoop:hadoop-common | 2.8.0 | 4.1.1 |
| CVE-2018-12608 | high | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2019-13509 | high | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2020-9492 | high | — | org.apache.hadoop:hadoop-common | 2.8.0 | 4.1.1 |
| CVE-2021-22569 | high | — | com.google.protobuf:protobuf-java | 2.5.0 | 4.1.1 |
| CVE-2021-33503 | high | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2021-43565 | high | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2021-43816 | high | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2022-23648 | high | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2022-27191 | high | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2022-27664 | high | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2022-28948 | high | — | gopkg.in/yaml.v3 | 3.0.0 | 4.1.1 |
| CVE-2022-32149 | high | — | golang.org/x/text | 0.3.7 | 4.1.1 |
| CVE-2022-41404 | high | — | org.ini4j:ini4j | 0.5.4 | 4.1.1 |
| CVE-2022-41723 | high | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2023-2253 | high | — | github.com/docker/distribution | 2.8.0+incompatible | 4.1.1 |
| CVE-2023-39325 | high | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2023-43804 | high | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2023-6378 | high | — | ch.qos.logback:logback-classic | 1.2.10 | 4.1.1 |
| CVE-2024-25621 | high | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2024-47554 | high | — | commons-io:commons-io | 2.4 | 4.1.1 |
| CVE-2024-7254 | high | — | com.google.protobuf:protobuf-java | 2.5.0 | 4.1.1 |
| CVE-2025-22868 | high | — | golang.org/x/oauth2 | 0.0.0-20211005180243-6b3c2da341f1 | 4.1.1 |
| CVE-2025-22869 | high | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2025-54920 | high | — | org.apache.spark:spark-core_2.11 | 2.3.4 | 4.1.1 |
| CVE-2025-65637 | high | — | github.com/sirupsen/logrus | 1.8.1 | 4.1.1 |
| CVE-2025-66418 | high | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2025-66471 | high | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2026-21441 | high | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2026-22731 | high | — | org.springframework.boot:spring-boot-starter-actuator | 3.5.7 | 4.1.1 |
| CVE-2026-22733 | high | — | org.springframework.boot:spring-boot-starter-actuator | 3.5.7 | 4.1.1 |
| CVE-2026-34040 | high | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2026-43869 | high | — | org.apache.thrift:libthrift | 0.16.0 | 4.1.1 |
| GHSA-82j2-j2ch-gfr8 | high | — | rustls-webpki | 0.103.10 | 4.1.1 |
| GHSA-m425-mq94-257g | high | — | google.golang.org/grpc | 1.41.0 | 4.1.1 |
| CVE-2015-3627 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2015-3631 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2020-27534 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2021-28363 | medium | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2021-29425 | medium | — | commons-io:commons-io | 2.4 | 4.1.1 |
| CVE-2021-41091 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2022-23471 | medium | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2022-24769 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2022-29526 | medium | — | golang.org/x/sys | 0.0.0-20211102192858-4dd72447c267 | 4.1.1 |
| CVE-2022-31030 | medium | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2022-3171 | medium | — | com.google.protobuf:protobuf-java | 2.5.0 | 4.1.1 |
| CVE-2022-31777 | medium | — | org.apache.spark:spark-core_2.11 | 2.3.4 | 4.1.1 |
| CVE-2022-36109 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2022-41717 | medium | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2023-25153 | medium | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2023-25173 | medium | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2023-32681 | medium | — | requests | 2.28.2 | 4.1.1 |
| CVE-2023-33201 | medium | — | org.bouncycastle:bcprov-jdk15on | 1.70 | 4.1.1 |
| CVE-2023-33202 | medium | — | org.bouncycastle:bcprov-jdk15on | 1.70 | 4.1.1 |
| CVE-2023-3978 | medium | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2023-44487 | medium | KEV | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | — |
| CVE-2023-45288 | medium | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2023-45803 | medium | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2023-48795 | medium | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2024-24557 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2024-24786 | medium | — | google.golang.org/protobuf | 1.27.1 | 4.1.1 |
| CVE-2024-29018 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2024-29857 | medium | — | org.bouncycastle:bcprov-jdk15on | 1.70 | 4.1.1 |
| CVE-2024-30171 | medium | — | org.bouncycastle:bcprov-jdk15on | 1.70 | 4.1.1 |
| CVE-2024-34447 | medium | — | org.bouncycastle:bcprov-jdk15on | 1.70 | 4.1.1 |
| CVE-2024-3651 | medium | — | idna | 3.4 | 4.1.1 |
| CVE-2024-37891 | medium | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2024-40635 | medium | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2025-10543 | medium | — | github.com/eclipse/paho.mqtt.golang | 1.2.1-0.20200121105743-0d940dd29fd2 | 4.1.1 |
| CVE-2025-22870 | medium | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2025-22872 | medium | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2025-47914 | medium | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2025-50181 | medium | — | urllib3 | 1.26.1 | 4.1.1 |
| CVE-2025-58181 | medium | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2025-64329 | medium | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| CVE-2026-33997 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| GHSA-7ww5-4wqc-m92c | medium | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| GHSA-jq35-85cj-fj4p | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| GHSA-xmmx-7jpf-fx42 | medium | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2021-41089 | low | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2024-23454 | low | — | org.apache.hadoop:hadoop-common | 3.3.6 | 4.1.1 |
| CVE-2025-46392 | low | — | commons-configuration:commons-configuration | 1.6 | 4.1.1 |
| CVE-2025-54410 | low | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| GHSA-5j5w-g665-5m35 | low | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| GHSA-77vh-xpmg-72qh | low | — | github.com/opencontainers/image-spec | 1.0.2-0.20190823105129-775207bd45b6 | 4.1.1 |
| GHSA-965h-392x-2mh5 | low | — | rustls-webpki | 0.103.10 | 4.1.1 |
| GHSA-c9cp-9c75-9v8c | low | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| GHSA-cq8v-f236-94qc | low | — | rand | 0.9.2 | 4.1.1 |
| GHSA-rhfx-m35p-ff5j | low | — | lru | 0.12.5 | 4.1.1 |
| GHSA-vp35-85q5-9f25 | low | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| GHSA-xgp8-3hg3-c2mh | low | — | rustls-webpki | 0.103.10 | 4.1.1 |
| CVE-2019-14271 | unknown | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| CVE-2021-44716 | unknown | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2022-30636 | unknown | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2024-45338 | unknown | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2025-47911 | unknown | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2025-47913 | unknown | — | golang.org/x/crypto | 0.0.0-20210616213533-5ff15b29337e | 4.1.1 |
| CVE-2025-58190 | unknown | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| CVE-2026-33814 | unknown | — | golang.org/x/net | 0.0.0-20211020060615-d418f374d309 | 4.1.1 |
| GO-2022-0360 | unknown | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| GO-2022-1107 | unknown | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| GO-2023-2153 | unknown | — | google.golang.org/grpc | 1.41.0 | 4.1.1 |
| GO-2023-2412 | unknown | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| GO-2024-2846 | unknown | — | github.com/containerd/containerd | 1.5.7 | 4.1.1 |
| GO-2024-2914 | unknown | — | github.com/docker/docker | 1.4.2-0.20190924003213-a8608b5b67c7 | 4.1.1 |
| RUSTSEC-2024-0384 | unknown | — | instant | 0.1.13 | 4.1.1 |
| RUSTSEC-2024-0436 | unknown | — | paste | 1.0.15 | 4.1.1 |
| RUSTSEC-2025-0134 | unknown | — | rustls-pemfile | 2.2.0 | 4.1.1 |
| RUSTSEC-2026-0002 | unknown | — | lru | 0.12.5 | 4.1.1 |
| RUSTSEC-2026-0097 | unknown | — | rand | 0.9.2 | 4.1.1 |
| RUSTSEC-2026-0098 | unknown | — | rustls-webpki | 0.103.10 | 4.1.1 |
| RUSTSEC-2026-0099 | unknown | — | rustls-webpki | 0.103.10 | 4.1.1 |
| RUSTSEC-2026-0104 | unknown | — | rustls-webpki | 0.103.10 | 4.1.1 |
Showing 119 of 375