This repository has been archived by the owner on Jul 2, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 113
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
9b6ded5
commit f87a7bf
Showing
1 changed file
with
7 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,8 @@ | ||
| # Accepted CVEs for Sourcegraph 5.2.7 | ||
| | CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details | | ||
| |-|-|-|-|-|-|- | | ||
| | [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)| sourcegraph/executor, sourcegraph/bundled-executor, sourcegraph/executor-kubernetes| High| 7.5| Medium| 4.7| The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | | ||
| | [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go)| sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor| High| 7.5| Medium| 5| We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. | | ||
| | [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108)| sourcegraph/dind| High| 7.5| Info| 0| This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | | ||
| | [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142)| sourcegraph/dind| High| 7.5| Info| 0| This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | | ||
|
|
||
| | CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details | | ||
| | ----------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | ||
| | [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, sourcegraph/bundled-executor, sourcegraph/executor-kubernetes | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | | ||
| | [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 5 | We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. | | ||
| | [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | | ||
| | [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | |