Accepted CVEs for Sourcegraph 5.2.1
| CVE ID | Affected Images | CVE Severity | CVSS Base Score | Sourcegraph Assessment | CVSS Environmental Score | Details |
|---|---|---|---|---|---|---|
| CVE-2023-45142 | caddy | High | 7.5 | Medium | 5.7 | There is currently no patched version for Caddy available that resolves this issue. We will update once the patch is available. The instances are not typically exposed on the internet thus the likelihood of exploitation is low. This issue only has a potential impact on the availability of the Caddy service. |
| CVE-2023-45853 | sourcegraph/grafana, sourcegraph/blobstore, sourcegraph/cadvisor, sourcegraph/frontend, sourcegraph/github-proxy, sourcegraph/gitserver, sourcegraph/indexed-searcher, sourcegraph/migrator, sourcegraph/node-exporter, sourcegraph/opentelemetry-collector, sourcegraph/postgres_exporter, sourcegraph/precise-code-intel-worker, sourcegraph/prometheus, sourcegraph/redis-cache, sourcegraph/redis-store, sourcegraph/repo-updater, sourcegraph/search-indexer, sourcegraph/searcher, sourcegraph/symbols, sourcegraph/syntax-highlighter, sourcegraph/worker | Critical | 9.8 | Medium | 4.7 | This vulnerability impacts zlib library used for managing zip files. This issue is not present in Sourcegraph as the application doesn’t accept zip files as part of the request. |
| CVE-2023-40283 | sourcegraph/grafana | High | 7.8 | Medium | 4.7 | This issue is not present in Sourcegraph as the application and it doesn’t utilize bluetooth features. |
| CVE-2023-39325 | sourcegraph/node-exporter, sourcegraph/server, sourcegraph/postgres_exporter | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. |
Known False Positives
Some scanners incorrectly identify false positives in our images:
| Vulnerability ID | Affected Images | Note |
|---|---|---|
| SNYK-GOLANG-GITHUBCOMCYPHARFILEPATHSECUREJOIN-5889602 | sourcegraph/cadvisor | This potential security issue only affects filepath-securejoin when used on Windows - all Sourcegraph deployments use Linux |