This repository has been archived by the owner on Jul 2, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 113
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
CVE justifications for 5.2.6 (#8427)
Co-authored-by: mohammadualam <[email protected]>
- Loading branch information
1 parent
44284ce
commit f3afbef
Showing
2 changed files
with
18 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| # Accepted CVEs for Sourcegraph 5.2.4 | ||
|
|
||
| | CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details | | ||
| | ------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | ||
| | [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, caddy, sourcegraph/bundled-executor, sourcegraph/dind, sourcegraph/executor-kubernetes | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | | ||
| | [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 5 | We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. | | ||
| | [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | caddy | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | | ||
| | [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | caddy, sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | | ||
| | [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | caddy, sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | | ||
|
|
||
| ## Known False Positives | ||
|
|
||
| Some scanners incorrectly identify false positives in our images: | ||
|
|
||
| | Vulnerability ID | Affected Images | Note | | ||
| | -------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | ----------------------------------------------------------------------------------------------------------------------------- | | ||
| | [SNYK-GOLANG-GITHUBCOMCYPHARFILEPATHSECUREJOIN-5889602](https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCYPHARFILEPATHSECUREJOIN-5889602) | sourcegraph/cadvisor | This potential security issue only affects `filepath-securejoin` when used on Windows - all Sourcegraph deployments use Linux | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters