Accepted CVEs for Sourcegraph 3.43.2

CVE IDAffected ImagesCVE SeveritySourcegraph AssessmentDetails
CVE-2022-1552sourcegraph/serverHighInfoThe vulnerability affects Postgres servers with multiple users where one user can bypass authorization controls and execute commands under a superuser identity. Sourcegraph runs Postgres with only the sg user, making the application not affected by this vulnerability.
CVE-2022-27191caddy, sourcegraph/grafana, sourcegraph/prometheus, sourcegraph/server, sourcegraph/postgres_exporter, sourcegraph/node-exporterHighInfoThis vulnerability impacts SSH servers using the affected dependency. None of the affected images have ssh servers, much less using the dependency. Sourcegraph is not affected by this issue.
CVE-2021-33194sourcegraph/grafana, sourcegraph/cadvisor, sourcegraph/serverHighLowThe CVE affects HTML parsers, specifically the ParseFragment function. The affected dependencies don’t use the function nor import the library.
CVE-2021-44716sourcegraph/grafana, sourcegraph/cadvisor, sourcegraph/serverHighLowIn certain conditions, the monitoring functionality packaged with Sourcegraph (Grafana and cAdvisor) could be rendered temporarily inoperable via specially crafted HTTP/2 requests. Exploiting this vulnerability requires administrator-level access, and does not affect the core Sourcegraph functionality. Sourcegraph does not consider this issue a viable security threat to the product.
CVE-2022-21698sourcegraph/cadvisor, sourcegraph/grafana, sourcegraph/postgres_exporter, sourcegraph/serverHighLowThe vulnerability affects several third party images shipped with Sourcegraph. However, it doesn’t affect Sourcegraph services dirtectly and the third party services are not exposed via HTTP. Sourcegraph is not vulnerable to this vulnerability.
CVE-2021-38561sourcegraph/grafana, sourcegraph/cadvisor, sourcegraph/serverHighInfoThe CVE affects application parsing language tag using the affected library. Neither of the Sourcegraph dependencies use x/text to parse arbitrary language tags.
CVE-2022-37315sourcegraph/frontend, sourcegraph/gitserver, sourcegraph/migrator, sourcegraph/precise-code-intel-worker, sourcegraph/repo-updater, sourcegraph/serverHighLowSourcegraph does not construct GraphQL queries in a manner that exposes it to this vulnerability.
CVE-2022-2526sourcegraph/minioHighInfoThis vulnerability affects a package bundled in the base image of one of Sourcegraph’s containers. Sourcegraph does not use the affected package.
CVE-2022-2625sourcegraph/serverHighInfoSourcegraph’s default permissions model means it is not vulnerable to this issue.
CVE-2022-37315sourcegraph/frontend, sourcegraph/gitserver, sourcegraph/migrator, sourcegraph/precise-code-intel-worker, sourcegraph/repo-updater, sourcegraph/searcher, sourcegraph/server, sourcegraph/sg, sourcegraph/symbols, sourcegraph/workerHighInfoThis issue does not affect our GraphQL API. Users are only allowed to fully control GraphQL requests through the API console, which properly sanitizes the queries.