From f87a7bf474752d34cbc17736c4f541822cdf2298 Mon Sep 17 00:00:00 2001 From: dcomas Date: Thu, 25 Jan 2024 20:34:22 +0000 Subject: [PATCH] squash! Prettier --- content/departments/security/tooling/trivy/5-2-7.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/content/departments/security/tooling/trivy/5-2-7.md b/content/departments/security/tooling/trivy/5-2-7.md index 00ede772dc66..aeb1c0cb9c87 100644 --- a/content/departments/security/tooling/trivy/5-2-7.md +++ b/content/departments/security/tooling/trivy/5-2-7.md @@ -1,7 +1,8 @@ # Accepted CVEs for Sourcegraph 5.2.7 -| CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details | -|-|-|-|-|-|-|- | -| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)| sourcegraph/executor, sourcegraph/bundled-executor, sourcegraph/executor-kubernetes| High| 7.5| Medium| 4.7| The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | -| [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go)| sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor| High| 7.5| Medium| 5| We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. | -| [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108)| sourcegraph/dind| High| 7.5| Info| 0| This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | -| [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142)| sourcegraph/dind| High| 7.5| Info| 0| This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | + +| CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details | +| ----------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, sourcegraph/bundled-executor, sourcegraph/executor-kubernetes | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | +| [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 5 | We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. | +| [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. |