# Accepted CVEs for Sourcegraph 5.1.9

| CVE ID                                                                  | Affected Images  | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score                                                                                                                                                                    | Details                                                                                                                        |
| ----------------------------------------------------------------------- | ---------------- | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ |
| [CVE-2022-48174](https://access.redhat.com/security/cve/CVE-2022-48174) | sourcegraph/dind | Critical     | 9.8             | Low                                                                                                            | [2.7](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:X/RC:U/CR:L/IR:L/AR:L/MAV:A/MAC:H/MPR:H/MUI:N/MS:C/MC:L/MI:L/MA:L&version=3.1) | The ash shell in sourcegraph/dind is not exposed to attackers and only reacheable through direct access to the infrastructure. |

## Known False Positives

Some scanners incorrectly identify false positives in our images:

| Vulnerability ID                                                                                                                                                                                                                                                           | Affected Images                                                      | Note                                                                                     |
| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- |
| [CVE-2023-27561](https://www.cve.org/CVERecord?id=CVE-2023-27561)                                                                                                                                                                                                          | sourcegraph/cadvisor                                                 | False positive - this is patched in `github.com/opencontainers/runc/libcontainer@v1.1.5` |
| [CVE-2022-0543](https://www.cve.org/CVERecord?id=CVE-2022-0543), [CVE-2022-3734](https://www.cve.org/CVERecord?id=CVE-2022-3734)                                                                                                                                           | sourcegraph/redis-cache, sourcegraph/redis-store, sourcegraph/server | False positive - these vulnerabilities are specific to Windows and Debian releases       |
| [CVE-2022-31107](https://www.cve.org/CVERecord?id=CVE-2022-31107), [CVE-2022-31123](https://www.cve.org/CVERecord?id=CVE-2022-31123), [CVE-2022-31130](https://www.cve.org/CVERecord?id=CVE-2022-31130), [CVE-2022-39201](https://www.cve.org/CVERecord?id=CVE-2022-39201) | sourcegraph/grafana, sourcegraph/server                              | False positive - these vulnerabilities have been patched by Chainguard                   |


<section class="h0Wrapper headingWrapper"><section class="h1Wrapper headingWrapper"><h1 id="accepted-cves-for-sourcegraph-519"><a class="anchor" aria-hidden tabindex="-1" href="#accepted-cves-for-sourcegraph-519"><span class="icon icon-link"></span></a>Accepted CVEs for Sourcegraph 5.1.9</h1>























<div class="table-responsive"><table><thead><tr><th>CVE ID</th><th>Affected Images</th><th>CVE Severity</th><th>CVSS Base Score</th><th><a href="../../../../engineering/dev/policies/vulnerability-management-policy#severity-levels">Sourcegraph Assessment</a></th><th>CVSS Environmental Score</th><th>Details</th></tr></thead><tbody><tr><td><a href="https://access.redhat.com/security/cve/CVE-2022-48174">CVE-2022-48174</a></td><td>sourcegraph/dind</td><td>Critical</td><td>9.8</td><td>Low</td><td><a href="https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:X/RC:U/CR:L/IR:L/AR:L/MAV:A/MAC:H/MPR:H/MUI:N/MS:C/MC:L/MI:L/MA:L&#x26;version=3.1">2.7</a></td><td>The ash shell in sourcegraph/dind is not exposed to attackers and only reacheable through direct access to the infrastructure.</td></tr></tbody></table></div>
<section class="h2Wrapper headingWrapper"><h2 id="known-false-positives"><a class="anchor" aria-hidden tabindex="-1" href="#known-false-positives"><span class="icon icon-link"></span></a>Known False Positives</h2>
<p>Some scanners incorrectly identify false positives in our images:</p>

























<div class="table-responsive"><table><thead><tr><th>Vulnerability ID</th><th>Affected Images</th><th>Note</th></tr></thead><tbody><tr><td><a href="https://www.cve.org/CVERecord?id=CVE-2023-27561">CVE-2023-27561</a></td><td>sourcegraph/cadvisor</td><td>False positive - this is patched in <code>github.com/opencontainers/runc/libcontainer@v1.1.5</code></td></tr><tr><td><a href="https://www.cve.org/CVERecord?id=CVE-2022-0543">CVE-2022-0543</a>, <a href="https://www.cve.org/CVERecord?id=CVE-2022-3734">CVE-2022-3734</a></td><td>sourcegraph/redis-cache, sourcegraph/redis-store, sourcegraph/server</td><td>False positive - these vulnerabilities are specific to Windows and Debian releases</td></tr><tr><td><a href="https://www.cve.org/CVERecord?id=CVE-2022-31107">CVE-2022-31107</a>, <a href="https://www.cve.org/CVERecord?id=CVE-2022-31123">CVE-2022-31123</a>, <a href="https://www.cve.org/CVERecord?id=CVE-2022-31130">CVE-2022-31130</a>, <a href="https://www.cve.org/CVERecord?id=CVE-2022-39201">CVE-2022-39201</a></td><td>sourcegraph/grafana, sourcegraph/server</td><td>False positive - these vulnerabilities have been patched by Chainguard</td></tr></tbody></table></div></section></section></section>

Vulnerability ID	Affected Images	Note
CVE-2023-27561	sourcegraph/cadvisor	False positive - this is patched in `github.com/opencontainers/runc/libcontainer@v1.1.5`
CVE-2022-0543, CVE-2022-3734	sourcegraph/redis-cache, sourcegraph/redis-store, sourcegraph/server	False positive - these vulnerabilities are specific to Windows and Debian releases
CVE-2022-31107, CVE-2022-31123, CVE-2022-31130, CVE-2022-39201	sourcegraph/grafana, sourcegraph/server	False positive - these vulnerabilities have been patched by Chainguard