Accepted CVEs for Sourcegraph 5.2.1

CVE IDAffected ImagesCVE SeverityCVSS Base ScoreSourcegraph AssessmentCVSS Environmental ScoreDetails
CVE-2023-45142caddyHigh7.5Medium5.7There is currently no patched version for Caddy available that resolves this issue. We will update once the patch is available. The instances are not typically exposed on the internet thus the likelihood of exploitation is low. This issue only has a potential impact on the availability of the Caddy service.
CVE-2023-45853sourcegraph/grafana, sourcegraph/blobstore, sourcegraph/cadvisor, sourcegraph/frontend, sourcegraph/github-proxy, sourcegraph/gitserver, sourcegraph/indexed-searcher, sourcegraph/migrator, sourcegraph/node-exporter, sourcegraph/opentelemetry-collector, sourcegraph/postgres_exporter, sourcegraph/precise-code-intel-worker, sourcegraph/prometheus, sourcegraph/redis-cache, sourcegraph/redis-store, sourcegraph/repo-updater, sourcegraph/search-indexer, sourcegraph/searcher, sourcegraph/symbols, sourcegraph/syntax-highlighter, sourcegraph/workerCritical9.8Medium4.7This vulnerability impacts zlib library used for managing zip files. This issue is not present in Sourcegraph as the application doesn’t accept zip files as part of the request.
CVE-2023-40283sourcegraph/grafanaHigh7.8Medium4.7This issue is not present in Sourcegraph as the application and it doesn’t utilize bluetooth features.
CVE-2023-39325sourcegraph/node-exporter, sourcegraph/server, sourcegraph/postgres_exporterHigh7.5Medium4.7The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself.

Known False Positives

Some scanners incorrectly identify false positives in our images:

Vulnerability IDAffected ImagesNote
SNYK-GOLANG-GITHUBCOMCYPHARFILEPATHSECUREJOIN-5889602sourcegraph/cadvisorThis potential security issue only affects filepath-securejoin when used on Windows - all Sourcegraph deployments use Linux