Accepted CVEs for Sourcegraph 4.5.1

CVE IDAffected ImagesCVE SeverityCVSS Base ScoreSourcegraph AssessmentCVSS Environmental ScoreDetails
CVE-2020-7711sourcegraph/server, sourcegraph/grafanaHigh7.5Info0This report is a false positive reported by some scanners – the version of the library used by Sourcegraph and its dependencies is not affected by this issue.
CVE-2020-7731sourcegraph/grafana, sourcegraph/serverHigh7.5Low3.2This is a denial of service vulnerability that can affect Sourcegraph instances where SAML2 is configured as an authProvider. The availability impact of exploitation would be limited.
CVE-2021-23214sourcegraph/serverHigh8.1Info0Some vulnerability scanners fingerprint this image as containing PostgreSQL 12.9, while the image actually contains 12.10. This finding is a false positive.
CVE-2021-32027sourcegraph/serverHigh8.8Info0Some vulnerability scanners fingerprint this image as containing PostgreSQL 12.7, while the image actually contains 12.10. This finding is a false positive.
CVE-2021-33194sourcegraph/grafana, sourcegraph/serverHigh7.5Info0The CVE affects HTML parsers, specifically the ParseFragment function. The affected dependencies don’t use the function nor import the library.
CVE-2021-38561sourcegraph/grafana, sourcegraph/serverHigh7.5Info0The CVE affects application parsing language tag using the affected library. Neither of the Sourcegraph dependencies use x/text to parse arbitrary language tags.
CVE-2021-43565sourcegraph/server, sourcegraph/grafana, sourcegraph/postgres_exporterHigh7.5Info0This vulnerability is reported in dependencies included by Sourcegraph. Sourcegraph itself doesn’t use the vulnerable functionality, and is therefore not affected by the issue.
CVE-2021-44716sourcegraph/grafana, sourcegraph/serverHigh7.5Low3.1In certain conditions, the monitoring functionality packaged with Sourcegraph (Grafana and cAdvisor) could be rendered temporarily inoperable via specially crafted HTTP/2 requests. Exploiting this vulnerability requires administrator-level access, and does not affect the core Sourcegraph functionality. Sourcegraph does not consider this issue a viable security threat to the product.
CVE-2022-1552sourcegraph/serverHigh8.8Info0The vulnerability affects Postgres servers with multiple users where one user can bypass authorization controls and execute commands under a superuser identity. Sourcegraph runs Postgres with only the sg user, making the application not affected by this vulnerability.
CVE-2022-2625sourcegraph/serverHigh8.0Info0Sourcegraph’s default permissions model means it is not vulnerable to this issue.
CVE-2022-21698sourcegraph/grafana, sourcegraph/serverHigh7.5Low3.6The vulnerability affects several third party images shipped with Sourcegraph. However, it doesn’t affect Sourcegraph directly directly and the third party services are not exposed via HTTP. Sourcegraph is not vulnerable to this vulnerability.
CVE-2022-27191sourcegraph/grafana, sourcegraph/server, sourcegraph/postgres_exporterHigh7.5Info0This vulnerability impacts SSH servers using the affected dependency. None of the affected images have ssh servers, much less using the dependency. Sourcegraph is not affected by this issue.
CVE-2022-27664sourcegraph/grafana, sourcegraph/server, sourcegraph/postgres_exporterHigh7.5Low1.7This is a denial of service vulnerability that could affect the availability of Sourcegraph services in specific situations. As Sourcegraph is run as an internal service, our assessment of the severity of this issue is Low.
CVE-2022-32149sourcegraph/server, sourcegraph/grafana, sourcegraph/postgres_exporterHigh7.5Low1.7This affects x/text and is fixed in our frontend image. The other images this issue is present in, are not affected as there’s no way for an actor to send arbitrary language headers.
CVE-2022-41721High7.5Info0Sourcegraph does not use the functionality affected by this vulnerability.
CVE-2022-41912sourcegraph/grafana, sourcegraph/serverCritical9.1Info0Sourcegraph does not use the functionality affected by this vulnerability.
CVE-2022-43551sourcegraph/serverHigh7.5Info0Sourcegraph does not use the functionality affected by this vulnerability
CVE-2022-37315sourcegraph/serverHigh7.5Info0This issue does not affect our GraphQL API. Users are only allowed to fully control GraphQL requests through the API console, which properly sanitizes the queries.
CVE-2022-40152sourcegraph/serverHigh7.5Info0Sourcegraph does not use the functionality affected by this vulnerability.
CVE-2022-40151sourcegraph/serverHigh7.5Info0Sourcegraph does not use the functionality affected by this vulnerability.
CVE-2022-42004sourcegraph/serverHigh7.5Info0Sourcegraph does not use the functionality affected by this vulnerability.
CVE-2022-42003sourcegraph/serverHigh7.5Info0Sourcegraph does not use the functionality affected by this vulnerability.
CVE-2023-0286sourcegraph/server, sourcegraph/syntax-highlighterHighNVD has not published a CVSS score at the time of this writing.Info0Sourcegraph does not use nor process X.400 addresses.
CVE-2022-28948sourcegraph/grafana, sourcegraph/serverHigh7.5Low2.1Sourcegraph is potentially vulnerable to this in the processing of Batch Changes. The possible impact is limited to the user executing the Batch Change thus not presenting any real risk to other users or the stability of the application.
CVE-2022-41721sourcegraph/serverHigh7.5Info0Sourcegraph does not use MaxBytesHandler anywhere in the application.
CVE-2022-3094sourcegraph/serverHigh7.5Info0Sourcegraph does not perform any form of custom DNS operations or runs a DNS server that would be exploitable by this issue in BIND 9.
CVE-2022-3736sourcegraph/serverHigh7.5Info0Sourcegraph does not perform any form of custom DNS operations or runs a DNS server that would be exploitable by this issue in BIND 9.
CVE-2022-3924sourcegraph/serverHighNVD has not published a CVSS score at the time of this writingInfo0Sourcegraph does not perform any form of custom DNS operations or runs a DNS server that would be exploitable by this issue in BIND 9.
CVE-2023-24998sourcegraph/blobstore, sourcegraph/serverHighNVD has not published a CVSS score at the time of this writingLow2.1This is a denial of service vulnerability that could affect the availability of Sourcegraph services in specific situations. As Sourcegraph is run as an internal service, our assessment of the severity of this issue is Low.
CVE-2022-4450sourcegraph/syntax-highlighter, sourcegraph/serverHigh7.5Info0Sourcegraph does not use the functionality affected by this vulnerability.
CVE-2023-0215sourcegraph/syntax-highlighter, sourcegraph/serverHigh7.5Info0Sourcegraph does not use the functionality affected by this vulnerability.
CVE-2022-41723sourcegraph/cadvisor, sourcegraph/grafana, sourcegraph/node-exporter, sourcegraph/opentelemetry-collector, sourcegraph/postgres_exporter, sourcegraph/prometheusHighNVD has not published a CVSS score at the time of this writingLow2.1This is a denial of service vulnerability that could affect the availability of Sourcegraph services in specific situations. As Sourcegraph is run as an internal service, our assessment of the severity of this issue is Low.