High severity vulnerabilities in datomic transactor

We’re attempting to deploy Datomic, and we’ve built an application on top of it, but in order to go to production, we have strict requirements of zero high severity vulnerabilities as identified by the National Vulnerability Database.

According to our scans of the Datomic Transactor (version=1.0.6397) we’ve identified at least 10 high severity vulnerabilities, including at least one zero-day exploit. They are as follows: CVE-2020-27853, CVE-2021-41093, CVE-2022-33980 , CVE-2021-42392, CVE-2022-23221, CVE-2022-40150, CVE-2022-40149 , CVE-2022-31197, CVE-2022-21724, CVE-2022-42889.

Is there any plan and/or timeline when these vulnerabilities will be resolved?
Is there a security analysis available on why leave these unresolved is feasible in a production-grade setting.

Thank you!

@jasonjckn Hello! We current have a support ticket created on the issue and have not received a response.

Could you check to see if you received the reply and provide the information requested in the ticket?

We do not currently believe these CVE’s affect the product, however further research is required after reviewing the provided information.

-Robert Randolph

Could you check to see if you received the reply and provide the information requested in the ticket?

just checked, haven’t gotten a reply yet. let me know when you send it.

Hi Jason,

We have sent you two replies on the case. Can you login to Zendesk to confirm here: https://support.cognitect.com/hc/en-us

Or can you check your spam to confirm replies from support@datomic.com are allowed?

I am happy to share here that we have requested exactly what scanner you used to produce these results and what did you point them at/how did you run the scanner?

Thanks,
Jaret

I can see it now, my bad. I’ll reply on that thread from here on out - thanks!