From 3b6e3d7e334eb8b99bee1c29fe57d54b76d626ab Mon Sep 17 00:00:00 2001 From: Mohammad Alam Date: Wed, 10 Jan 2024 15:43:25 -0500 Subject: [PATCH 01/11] CVE justifications for 5.2.6 --- .../departments/security/tooling/trivy/5-2-6.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 content/departments/security/tooling/trivy/5-2-6.md diff --git a/content/departments/security/tooling/trivy/5-2-6.md b/content/departments/security/tooling/trivy/5-2-6.md new file mode 100644 index 000000000000..406b7e06be62 --- /dev/null +++ b/content/departments/security/tooling/trivy/5-2-6.md @@ -0,0 +1,17 @@ +# Accepted CVEs for Sourcegraph 5.2.4 + +| CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details | +| ------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------ | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, caddy, sourcegraph/bundled-executor | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | +| [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 5 | We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. | +| [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | + +## Known False Positives + +Some scanners incorrectly identify false positives in our images: + +| Vulnerability ID | Affected Images | Note | +| -------------------------------------------------------------------------------------------------------------------------------------------- | -------------------- | ----------------------------------------------------------------------------------------------------------------------------- | +| [SNYK-GOLANG-GITHUBCOMCYPHARFILEPATHSECUREJOIN-5889602](https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMCYPHARFILEPATHSECUREJOIN-5889602) | sourcegraph/cadvisor | This potential security issue only affects `filepath-securejoin` when used on Windows - all Sourcegraph deployments use Linux | From da6f4bc2cc73a622cf2c32d1eb3346db9cebf99c Mon Sep 17 00:00:00 2001 From: mohammadualam Date: Wed, 10 Jan 2024 20:44:41 +0000 Subject: [PATCH 02/11] squash! Prettier --- .../departments/security/tooling/trivy/5-2-6.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/content/departments/security/tooling/trivy/5-2-6.md b/content/departments/security/tooling/trivy/5-2-6.md index 406b7e06be62..ff116b1072ab 100644 --- a/content/departments/security/tooling/trivy/5-2-6.md +++ b/content/departments/security/tooling/trivy/5-2-6.md @@ -1,12 +1,12 @@ # Accepted CVEs for Sourcegraph 5.2.4 -| CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details | -| ------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------ | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, caddy, sourcegraph/bundled-executor | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | -| [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 5 | We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. | -| [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | -| [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | -| [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details | +| ------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, caddy, sourcegraph/bundled-executor | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | +| [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 5 | We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. | +| [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | ## Known False Positives From 9e061eee798b09017ee2848ecf8f97cee708b46b Mon Sep 17 00:00:00 2001 From: Mohammad Alam Date: Wed, 10 Jan 2024 15:45:21 -0500 Subject: [PATCH 03/11] Update index.md --- content/departments/security/tooling/trivy/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/departments/security/tooling/trivy/index.md b/content/departments/security/tooling/trivy/index.md index ffb5c65f8cce..c2458031682c 100644 --- a/content/departments/security/tooling/trivy/index.md +++ b/content/departments/security/tooling/trivy/index.md @@ -118,6 +118,7 @@ or that we have accepted as low risk. You can find more details about these belo ### 5.2 +- [5.2.6](./5-2-6.md) - [5.2.5](./5-2-5.md) - [5.2.4](./5-2-4.md) - [5.2.3](./5-2-3.md) From 6225bd0194ba51ef615fe10060ca3acf71ec505a Mon Sep 17 00:00:00 2001 From: Mohammad Alam Date: Wed, 10 Jan 2024 15:57:14 -0500 Subject: [PATCH 04/11] Update 5-2-6.md --- content/departments/security/tooling/trivy/5-2-6.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/departments/security/tooling/trivy/5-2-6.md b/content/departments/security/tooling/trivy/5-2-6.md index ff116b1072ab..934d787593f0 100644 --- a/content/departments/security/tooling/trivy/5-2-6.md +++ b/content/departments/security/tooling/trivy/5-2-6.md @@ -3,7 +3,7 @@ | CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details | | ------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, caddy, sourcegraph/bundled-executor | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | -| [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 5 | We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. | +| [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 5 | We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. | | [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | | [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | | [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | From 4108a95d714b7c95058d596c5c037668b19d7aeb Mon Sep 17 00:00:00 2001 From: mohammadualam Date: Wed, 10 Jan 2024 20:58:25 +0000 Subject: [PATCH 05/11] squash! Prettier --- content/departments/security/tooling/trivy/5-2-6.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/content/departments/security/tooling/trivy/5-2-6.md b/content/departments/security/tooling/trivy/5-2-6.md index 934d787593f0..822eed75b124 100644 --- a/content/departments/security/tooling/trivy/5-2-6.md +++ b/content/departments/security/tooling/trivy/5-2-6.md @@ -1,12 +1,12 @@ # Accepted CVEs for Sourcegraph 5.2.4 -| CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details | -| ------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, caddy, sourcegraph/bundled-executor | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | +| CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details | +| ------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, caddy, sourcegraph/bundled-executor | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | | [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 5 | We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. | -| [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | -| [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | -| [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | ## Known False Positives From 4319dfbaa8b51d1422ea18a36320b2d98835994e Mon Sep 17 00:00:00 2001 From: Mohammad Alam Date: Wed, 10 Jan 2024 16:13:56 -0500 Subject: [PATCH 06/11] Update 5-2-6.md --- content/departments/security/tooling/trivy/5-2-6.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/departments/security/tooling/trivy/5-2-6.md b/content/departments/security/tooling/trivy/5-2-6.md index 822eed75b124..db897073dae7 100644 --- a/content/departments/security/tooling/trivy/5-2-6.md +++ b/content/departments/security/tooling/trivy/5-2-6.md @@ -5,8 +5,8 @@ | [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, caddy, sourcegraph/bundled-executor | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | | [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 5 | We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. | | [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | -| [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | -| [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | caddy, sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | caddy, sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | ## Known False Positives From 227459e332c656eb04cac49ccc725c7b3498b983 Mon Sep 17 00:00:00 2001 From: mohammadualam Date: Wed, 10 Jan 2024 21:15:08 +0000 Subject: [PATCH 07/11] squash! Prettier --- content/departments/security/tooling/trivy/5-2-6.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/departments/security/tooling/trivy/5-2-6.md b/content/departments/security/tooling/trivy/5-2-6.md index db897073dae7..27bd2e3397c7 100644 --- a/content/departments/security/tooling/trivy/5-2-6.md +++ b/content/departments/security/tooling/trivy/5-2-6.md @@ -5,8 +5,8 @@ | [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, caddy, sourcegraph/bundled-executor | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | | [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 5 | We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. | | [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | -| [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | caddy, sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | -| [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | caddy, sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | caddy, sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | caddy, sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | ## Known False Positives From 2eef0fc99582acd831e1cd6eb2c813139f38ae7a Mon Sep 17 00:00:00 2001 From: Mohammad Alam Date: Wed, 10 Jan 2024 16:16:37 -0500 Subject: [PATCH 08/11] Update 5-2-6.md --- content/departments/security/tooling/trivy/5-2-6.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/departments/security/tooling/trivy/5-2-6.md b/content/departments/security/tooling/trivy/5-2-6.md index 27bd2e3397c7..91f2f7f31d39 100644 --- a/content/departments/security/tooling/trivy/5-2-6.md +++ b/content/departments/security/tooling/trivy/5-2-6.md @@ -2,7 +2,7 @@ | CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details | | ------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, caddy, sourcegraph/bundled-executor | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | +| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, caddy, sourcegraph/bundled-executor, sourcegraph/dind, sourcegraph/executor-kubernetes | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | | [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 5 | We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. | | [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | | [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | caddy, sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | From 3d43c88515c1340b2ed2cc86046057eeb3a2747c Mon Sep 17 00:00:00 2001 From: mohammadualam Date: Wed, 10 Jan 2024 21:17:45 +0000 Subject: [PATCH 09/11] squash! Prettier --- content/departments/security/tooling/trivy/5-2-6.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/departments/security/tooling/trivy/5-2-6.md b/content/departments/security/tooling/trivy/5-2-6.md index 91f2f7f31d39..0557900e6eb9 100644 --- a/content/departments/security/tooling/trivy/5-2-6.md +++ b/content/departments/security/tooling/trivy/5-2-6.md @@ -2,7 +2,7 @@ | CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details | | ------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, caddy, sourcegraph/bundled-executor, sourcegraph/dind, sourcegraph/executor-kubernetes | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | +| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, caddy, sourcegraph/bundled-executor, sourcegraph/dind, sourcegraph/executor-kubernetes | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | | [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 5 | We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. | | [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | | [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | caddy, sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | From d06ac353110163959367fe654ce5617bae631292 Mon Sep 17 00:00:00 2001 From: Mohammad Alam Date: Wed, 10 Jan 2024 16:20:40 -0500 Subject: [PATCH 10/11] Update 5-2-6.md --- content/departments/security/tooling/trivy/5-2-6.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/departments/security/tooling/trivy/5-2-6.md b/content/departments/security/tooling/trivy/5-2-6.md index 0557900e6eb9..5fb0e16eea1e 100644 --- a/content/departments/security/tooling/trivy/5-2-6.md +++ b/content/departments/security/tooling/trivy/5-2-6.md @@ -4,7 +4,7 @@ | ------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, caddy, sourcegraph/bundled-executor, sourcegraph/dind, sourcegraph/executor-kubernetes | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | | [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 5 | We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. | -| [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | caddy | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | | [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | caddy, sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | | [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | caddy, sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | From 75c76513562bc8901eaa26e47283cb8c0df8655c Mon Sep 17 00:00:00 2001 From: mohammadualam Date: Wed, 10 Jan 2024 21:21:52 +0000 Subject: [PATCH 11/11] squash! Prettier --- content/departments/security/tooling/trivy/5-2-6.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/departments/security/tooling/trivy/5-2-6.md b/content/departments/security/tooling/trivy/5-2-6.md index 5fb0e16eea1e..5cb78e63808d 100644 --- a/content/departments/security/tooling/trivy/5-2-6.md +++ b/content/departments/security/tooling/trivy/5-2-6.md @@ -4,7 +4,7 @@ | ------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/executor, caddy, sourcegraph/bundled-executor, sourcegraph/dind, sourcegraph/executor-kubernetes | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | | [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, caddy, sourcegraph/executor-kubernetes, sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor | High | 7.5 | Medium | 5 | We are not vulnerable to 'gRPC-Go HTTP/2 Rapid Reset vulnerability' because we do not expose these service directly to the internet and only reacheable through direct access to the infrastructure. | -| [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | caddy | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | caddy | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | | [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | caddy, sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | | [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | caddy, sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. |