Accepted CVEs for Sourcegraph 5.1.5

CVE ID	Affected Images	CVE Severity	CVSS Base Score	Sourcegraph Assessment	CVSS Environmental Score	Details
CVE-2022-27191	caddy	High	7.5	Info	0	This image is only used in docker deployments. This vulnerability impacts SSH servers using the affected dependency. Caddy does not have ssh servers, much less using the dependency. Sourcegraph is not affected by this issue.
CVE-2022-27664	caddy	High	7.5	Low	1.7	This image is only used in docker deployments. This is a denial of service vulnerability that could affect the availability of Sourcegraph services in specific situations. As Sourcegraph is run as an internal service, our assessment of the severity of this issue is Low.
CVE-2022-41723	caddy	High	7.5	Low	2.1	This image is only used in docker deployments. This is a denial of service vulnerability that could affect the availability of Sourcegraph services in specific situations. This vulnerability can only affect via internal traffic within our application, not external access or unauthenticated user, and limited to the site-admin vector. Our assessment of the severity of this issue is Low.
CVE-2022-32149	caddy	High	7.5	Medium	5.7	This image is only used in docker deployments. It could only potentially be used to cause a denial of service from an attacker in a privileged network position. It will be fixed in the next Sourcegraph release.
CVE-2022-4450	caddy	High	7.5	Info	0	This image is only used in docker deployments. Caddy does not process PEM files and cannot be exploited by this issue.
CVE-2023-0215	caddy	High	7.5	Info	0	This image is only used in docker deployments. Caddy does not use SMIME, CMS and PKCS7 streaming capabilities and cannot be exploited by this issue.
CVE-2023-0286	caddy	High	7.4	Info	0	This image is only used in docker deployments. Caddy does not process X.400 addresses and cannot be exploited by this issue.
CVE-2023-0464	caddy	High	7.5	Info	0	This image is only used in docker deployments. Caddy does verify X.509 certificates and cannot be exploited by this issue.
CVE-2023-2650	caddy	High	7.5	Info	0.0	This image is only used in docker deployments. This issue only affects servers that allow client authentication using X.509 certificates, which our Caddy deployment does not.

Known False Positives

Some scanners incorrectly identify false positives in our images:

Vulnerability ID	Affected Images	Note
CVE-2023-27561	sourcegraph/cadvisor	False positive - this is patched in `github.com/opencontainers/runc/libcontainer@v1.1.5`
CVE-2022-0543, CVE-2022-3734	sourcegraph/redis-cache, sourcegraph/redis-store, sourcegraph/server	False positive - these vulnerabilities are specific to Windows and Debian releases
CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-39201	sourcegraph/grafana, sourcegraph/server	False positive - these vulnerabilities have been patched by Chainguard