Accepted CVEs for Sourcegraph 5.1.0

CVE IDAffected ImagesCVE SeverityCVSS Base ScoreSourcegraph AssessmentCVSS Environmental ScoreDetails
CVE-2022-41723sourcegraph/prometheus (Docker Compose only)High7.5Low2.1This is a denial of service vulnerability that could affect the availability of Sourcegraph services in specific situations. This vulnerability can only affect via internal traffic within our application, not external access or unauthenticated user, and limited to the site-admin vector. Our assessment of the severity of this issue is Low.
CVE-2023-28840sourcegraph/prometheus (Docker Compose only)High7.5Low0This vulnerability affects Docker Swarm overlay networks - Sourcegraph does not use this feature.

Known False Positives

Some scanners incorrectly identify false positives in our images:

Vulnerability IDAffected ImagesNote
CVE-2023-27561sourcegraph/cadvisorFalse positive - this is patched in
CVE-2022-0543, CVE-2022-3734sourcegraph/redis-cache, sourcegraph/redis-store, sourcegraph/serverFalse positive - these vulnerabilities are specific to Windows and Debian releases
CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-39201sourcegraph/grafana, sourcegraph/serverFalse positive - these vulnerabilities have been patched by Chainguard