Accepted CVEs for Sourcegraph 5.1.0
| CVE ID | Affected Images | CVE Severity | CVSS Base Score | Sourcegraph Assessment | CVSS Environmental Score | Details |
|---|---|---|---|---|---|---|
| CVE-2022-41723 | sourcegraph/prometheus (Docker Compose only) | High | 7.5 | Low | 2.1 | This is a denial of service vulnerability that could affect the availability of Sourcegraph services in specific situations. This vulnerability can only affect via internal traffic within our application, not external access or unauthenticated user, and limited to the site-admin vector. Our assessment of the severity of this issue is Low. |
| CVE-2023-28840 | sourcegraph/prometheus (Docker Compose only) | High | 7.5 | Low | 0 | This vulnerability affects Docker Swarm overlay networks - Sourcegraph does not use this feature. |
Known False Positives
Some scanners incorrectly identify false positives in our images:
| Vulnerability ID | Affected Images | Note |
|---|---|---|
| CVE-2023-27561 | sourcegraph/cadvisor | False positive - this is patched in github.com/opencontainers/runc/libcontainer@v1.1.5 |
| CVE-2022-0543, CVE-2022-3734 | sourcegraph/redis-cache, sourcegraph/redis-store, sourcegraph/server | False positive - these vulnerabilities are specific to Windows and Debian releases |
| CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-39201 | sourcegraph/grafana, sourcegraph/server | False positive - these vulnerabilities have been patched by Chainguard |