Accepted CVEs for Sourcegraph 4.2.1

CVE IDAffected ImagesCVE SeveritySourcegraph AssessmentDetails
CVE-2020-7711sourcegraph/server, sourcegraph/grafanaHighInfoThis report is a false positive reported by some scanners – the version of the library used by Sourcegraph and its dependencies is not affected by this issue.
CVE-2020-7731sourcegraph/grafana, sourcegraph/serverHighLowThis is a denial of service vulnerability that can affect Sourcegraph instances where SAML2 is configured as an authProvider. The availability impact of exploitation would be limited.
CVE-2021-23214sourcegraph/serverHighInfoSome vulnerability scanners fingerprint this image as containing PostgreSQL 12.9, while the image actually contains 12.10. This finding is a false positive.
CVE-2021-32027sourcegraph/serverHighInfoSome vulnerability scanners fingerprint this image as containing PostgreSQL 12.7, while the image actually contains 12.10. This finding is a false positive.
CVE-2021-33194sourcegraph/grafana, sourcegraph/cadvisor, sourcegraph/serverHighLowThe CVE affects HTML parsers, specifically the ParseFragment function. The affected dependencies don’t use the function nor import the library.
CVE-2021-38561sourcegraph/grafana, sourcegraph/cadvisor, sourcegraph/serverHighInfoThe CVE affects application parsing language tag using the affected library. Neither of the Sourcegraph dependencies use x/text to parse arbitrary language tags.
CVE-2021-43565sourcegraph/server, sourcegraph/prometheus, sourcegraph/grafana, sourcegraph/postgres_exporterHighInfoThis vulnerability is reported in dependencies included by Sourcegraph. Sourcegraph itself doesn’t use the vulnerable functionality, and is therefore not affected by the issue.
CVE-2021-44716sourcegraph/grafana, sourcegraph/cadvisor, sourcegraph/serverHighLowIn certain conditions, the monitoring functionality packaged with Sourcegraph (Grafana and cAdvisor) could be rendered temporarily inoperable via specially crafted HTTP/2 requests. Exploiting this vulnerability requires administrator-level access, and does not affect the core Sourcegraph functionality. Sourcegraph does not consider this issue a viable security threat to the product.
CVE-2022-1552sourcegraph/serverHighInfoThe vulnerability affects Postgres servers with multiple users where one user can bypass authorization controls and execute commands under a superuser identity. Sourcegraph runs Postgres with only the sg user, making the application not affected by this vulnerability.
CVE-2022-2625sourcegraph/serverHighInfoSourcegraph’s default permissions model means it is not vulnerable to this issue.
CVE-2022-3515sourcegraph/minioHighInfoThe affected package libksba as a dependency of GnuPG for parsing ASN.1 structures. Sourcegraph is not affected by this vulnerability as GnuPG is not invoked with untrusted inputs.
CVE-2022-21698sourcegraph/cadvisor, sourcegraph/grafana, sourcegraph/postgres_exporter, sourcegraph/serverHighLowThe vulnerability affects several third party images shipped with Sourcegraph. However, it doesn’t affect Sourcegraph services dirtectly and the third party services are not exposed via HTTP. Sourcegraph is not vulnerable to this vulnerability.
CVE-2022-24975sourcegraph/gitserverHighInfoSourcegraph does not use Git in a manner that would make it susceptible to the reported CVE.
CVE-2022-27191caddy, sourcegraph/grafana, sourcegraph/prometheus, sourcegraph/server, sourcegraph/postgres_exporter, sourcegraph/node-exporterHighInfoThis vulnerability impacts SSH servers using the affected dependency. None of the affected images have ssh servers, much less using the dependency. Sourcegraph is not affected by this issue.
CVE-2022-27664sourcegraph/cadvisor, sourcegraph/prometheus, sourcegraph/grafana, sourcegraph/jaeger-all-in-one, sourcegraph/minio, sourcegraph/indexed-searcher, sourcegraph/server, caddy, sourcegraph/jaeger-agent, sourcegraph/search-indexer, sourcegraph/postgres_exporter, sourcegraph/node-exporterHighLowThis is a denial of service vulnerability that could affect the availability of Sourcegraph services in specific situations. As Sourcegraph is run as an internal service, our assessment of the severity of this issue is Low.
CVE-2022-28931sourcegraph/prometheusCriticalInfoThere is no route to exploitation of this vulnerability via the Sourcegraph application.
CVE-2022-35737sourcegraph/gitserver, sourcegraph/searcherHighInfoThere is no route to exploitation of this vulnerability via the Sourcegraph application.
CVE-2022-37315sourcegraph/frontend, sourcegraph/gitserver, sourcegraph/migrator, sourcegraph/precise-code-intel-worker, sourcegraph/repo-updater, sourcegraph/searcher, sourcegraph/server, sourcegraph/sg, sourcegraph/symbols, sourcegraph/workerHighInfoThis issue does not affect our GraphQL API. Users are only allowed to fully control GraphQL requests through the API console, which properly sanitizes the queries.
CVE-2022-40674sourcegraph/cadvisor, sourcegraph/search-indexerHighInfoThis vulnerability affects a dependency of cAdvisor. cAdvisor itself does not use the vulnerable functionality, and is therefore not affected by the issue. It also affects our search-indexer image but Zoekt does not parse XML thus not being vulnerable to the issue.
CVE-2022-32149sourcegraph/server, sourcegraph/jaeger-all-in-one, caddy, sourcegraph/indexed-searcher, sourcegraph/cadvisor, sourcegraph/grafana, sourcegraph/minio, sourcegraph/prometheus, sourcegraph/search-indexer, sourcegraph/jaeger-agent, sourcegraph/postgres_exporter, sourcegraph/node-exporterHighLowThis affects x/text and is fixed in our frontend image. The other images this issue is present in, are not affected as there’s no way for an actor to send arbitrary language headers.
CVE-2022-40151sourcegraph/serverHighInfoSourcegraph does not use the functionality affected by this vulnerability.
CVE-2022-40152sourcegraph/serverHighInfoSourcegraph does not use the functionality affected by this vulnerability.
CVE-2022-41912sourcegraph/grafana, sourcegraph/serverCriticalInfoSourcegraph does not use the functionality affected by this vulnerability.
CVE-2022-42003sourcegraph/serverHighInfoSourcegraph does not use the functionality affected by this vulnerability.
CVE-2022-42004sourcegraph/serverHighInfoSourcegraph does not use the functionality affected by this vulnerability.
CVE-2022-42898sourcegraph/minioMediumInfoNeither Sourcegraph nor its bundled dependencies use the vulnerable Kerberos functionality reported in this CVE.
CVE-2022-42915sourcegraph/symbols, sourcegraph/github-proxy, sourcegraph/postgres_exporter, sourcegraph/repo-updater, sourcegraph/frontend, sourcegraph/server, sourcegraph/syntax-highlighter, sourcegraph/migrator, sourcegraph/searcher, sourcegraph/sg, sourcegraph/precise-code-intel-worker, sourcegraph/worker, sourcegraph/gitserverCriticalInfoThere is no viable route to exploitation of this issue from the Sourcegraph application
CVE-2022-42916sourcegraph/symbols, sourcegraph/github-proxy, sourcegraph/postgres_exporter, sourcegraph/repo-updater, sourcegraph/frontend, sourcegraph/server, sourcegraph/syntax-highlighter, sourcegraph/migrator, sourcegraph/searcher, sourcegraph/sg, sourcegraph/precise-code-intel-worker, sourcegraph/worker, sourcegraph/gitserverHighInfoThere is no viable route to exploitation of this issue from the Sourcegraph application
CVE-2022-43680sourcegraph/search-indexer, sourcegraph/cadvisorHighInfoNeither Sourcegraph nor its bundled dependencies use the vulnerable functionality reported in this CVE.
CVE-2022-46146sourcegraph/node-exporter, sourcegraph/prometheus_exporter, sourcegraph/prometheus, sourcegraph/serverHighLowSourcegraph’s deployment model significantly reduces the risk of this vulnerability resulting in information leakage.