Accepted CVEs for Sourcegraph 5.2.3

CVE ID	Affected Images	CVE Severity	CVSS Base Score	Sourcegraph Assessment	CVSS Environmental Score	Details
CVE-2023-39325	caddy	High	7.5	Medium	4.7	The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself.
CVE-2023-39325	caddy, sourcegraph/executor, sourcegraph/bundled-executor	High	7.5	Medium	4.7	The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself.
GHSA-M425-MQ94-257G	caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor	High	7.5	Medium	5	We are not vulnerable to ‘gRPC-Go HTTP/2 Rapid Reset vulnerability’ because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure.

Known False Positives

Some scanners incorrectly identify false positives in our images:

Vulnerability ID	Affected Images	Note
SNYK-GOLANG-GITHUBCOMCYPHARFILEPATHSECUREJOIN-5889602	sourcegraph/cadvisor	This potential security issue only affects `filepath-securejoin` when used on Windows - all Sourcegraph deployments use Linux