Accepted CVEs for Sourcegraph 5.2.4
| CVE ID | Affected Images | CVE Severity | CVSS Base Score | Sourcegraph Assessment | CVSS Environmental Score | Details |
|---|---|---|---|---|---|---|
| CVE-2023-39325 | caddy, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. |
| GHSA-M425-MQ94-257G | caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 5 | We are not vulnerable to ‘gRPC-Go HTTP/2 Rapid Reset vulnerability’ because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. |
| CVE-2023-5363 | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. |
| CVE-2023-47108 | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. |
| CVE-2023-45142 | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. |
Known False Positives
Some scanners incorrectly identify false positives in our images:
| Vulnerability ID | Affected Images | Note |
|---|---|---|
| SNYK-GOLANG-GITHUBCOMCYPHARFILEPATHSECUREJOIN-5889602 | sourcegraph/cadvisor | This potential security issue only affects filepath-securejoin when used on Windows - all Sourcegraph deployments use Linux |