From c5442762a35429369fb6c0441be78d5376768565 Mon Sep 17 00:00:00 2001 From: Mohammad Alam Date: Fri, 8 Mar 2024 17:02:58 -0500 Subject: [PATCH 1/4] Create 5-3-2.md --- .../departments/security/tooling/trivy/5-3-2.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 content/departments/security/tooling/trivy/5-3-2.md diff --git a/content/departments/security/tooling/trivy/5-3-2.md b/content/departments/security/tooling/trivy/5-3-2.md new file mode 100644 index 000000000000..b08065238183 --- /dev/null +++ b/content/departments/security/tooling/trivy/5-3-2.md @@ -0,0 +1,14 @@ +# Accepted CVEs for Sourcegraph 5.3.1 + +| CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details | +| ------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/dind | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | +| [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, sourcegraph/executor, sourcegraph/bundled-executor, sourcegraph/dind, caddy, sourcegraph/executor-kubernetes | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | +| [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-7104](https://access.redhat.com/errata/RHSA-2024:0465) | sourcegraph/codeinsights-db, sourcegraph/codeintel-db, sourcegraph/postgres-12-alpine | High | 7.3 | Medium | 4.1 | This is not exploitable over the internet. It would require an actor to write very specific SQLITE queries which is not possible in the default configuration. | +| [CVE-2024-23652](https://access.redhat.com/security/cve/CVE-2024-23652) | sourcegraph/dind | Critical | 7.4 | Info | 0 | We are not vulnerable for this issue as it requires access to our underlying infrastructure for exploitation. An actor cannot use this to gain access to our instances. | +| [CVE-2024-23653](https://access.redhat.com/security/cve/CVE-2024-23653) | sourcegraph/dind | Critical | 9.8 | Info | 0 | We are not vulnerable for this issue as it requires access to our underlying infrastructure for exploitation. An actor cannot use this to gain access to our instances. | +| [CVE-2024-23651](https://access.redhat.com/security/cve/CVE-2024-23651) | sourcegraph/dind | High | 7.4 | Info | 0 | We are not vulnerable for this issue as it requires access to our underlying infrastructure for exploitation. An actor cannot use this to gain access to our instances. | +| [CVE-2024-21626](http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html) | sourcegraph/dind | High | 8.6 | High | 8.6 | Dind is used for Kubernetes executors and is not part of the standard deployment. This issue is not fixed in the latest dind release, and we will upgrade once a patch is available. | +| [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | sourcegraph/dind | High | 0 | info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | From 4fe3e33ace2103770413b662ef80f4773de0e238 Mon Sep 17 00:00:00 2001 From: Mohammad Alam Date: Fri, 8 Mar 2024 17:03:40 -0500 Subject: [PATCH 2/4] Update index.md --- content/departments/security/tooling/trivy/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/departments/security/tooling/trivy/index.md b/content/departments/security/tooling/trivy/index.md index 7c38f2173a4f..ce5f38188e82 100644 --- a/content/departments/security/tooling/trivy/index.md +++ b/content/departments/security/tooling/trivy/index.md @@ -118,6 +118,7 @@ or that we have accepted as low risk. You can find more details about these belo ### 5.3 +- [5.3.2](./5-3-2.md) - [5.3.1](./5-3-1.md) - [5.3.0](./5-3-0.md) From 29cdd6b08b2715d1ff89e5452eb6d301dec3ef33 Mon Sep 17 00:00:00 2001 From: Mohammad Alam Date: Fri, 8 Mar 2024 17:03:53 -0500 Subject: [PATCH 3/4] Update 5-3-2.md --- content/departments/security/tooling/trivy/5-3-2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/departments/security/tooling/trivy/5-3-2.md b/content/departments/security/tooling/trivy/5-3-2.md index b08065238183..956c8a23e140 100644 --- a/content/departments/security/tooling/trivy/5-3-2.md +++ b/content/departments/security/tooling/trivy/5-3-2.md @@ -1,4 +1,4 @@ -# Accepted CVEs for Sourcegraph 5.3.1 +# Accepted CVEs for Sourcegraph 5.3.2 | CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details | | ------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | From 21515b39851efeb355b08dffbd12df23898ff96d Mon Sep 17 00:00:00 2001 From: mohammadualam Date: Fri, 8 Mar 2024 22:04:57 +0000 Subject: [PATCH 4/4] squash! Prettier --- content/departments/security/tooling/trivy/5-3-2.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/departments/security/tooling/trivy/5-3-2.md b/content/departments/security/tooling/trivy/5-3-2.md index 956c8a23e140..e9f5c4edfcb7 100644 --- a/content/departments/security/tooling/trivy/5-3-2.md +++ b/content/departments/security/tooling/trivy/5-3-2.md @@ -2,13 +2,13 @@ | CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details | | ------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/dind | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | +| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/dind | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | | [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, sourcegraph/executor, sourcegraph/bundled-executor, sourcegraph/dind, caddy, sourcegraph/executor-kubernetes | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. | | [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | -| [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | | [CVE-2023-7104](https://access.redhat.com/errata/RHSA-2024:0465) | sourcegraph/codeinsights-db, sourcegraph/codeintel-db, sourcegraph/postgres-12-alpine | High | 7.3 | Medium | 4.1 | This is not exploitable over the internet. It would require an actor to write very specific SQLITE queries which is not possible in the default configuration. | | [CVE-2024-23652](https://access.redhat.com/security/cve/CVE-2024-23652) | sourcegraph/dind | Critical | 7.4 | Info | 0 | We are not vulnerable for this issue as it requires access to our underlying infrastructure for exploitation. An actor cannot use this to gain access to our instances. | | [CVE-2024-23653](https://access.redhat.com/security/cve/CVE-2024-23653) | sourcegraph/dind | Critical | 9.8 | Info | 0 | We are not vulnerable for this issue as it requires access to our underlying infrastructure for exploitation. An actor cannot use this to gain access to our instances. | | [CVE-2024-23651](https://access.redhat.com/security/cve/CVE-2024-23651) | sourcegraph/dind | High | 7.4 | Info | 0 | We are not vulnerable for this issue as it requires access to our underlying infrastructure for exploitation. An actor cannot use this to gain access to our instances. | | [CVE-2024-21626](http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html) | sourcegraph/dind | High | 8.6 | High | 8.6 | Dind is used for Kubernetes executors and is not part of the standard deployment. This issue is not fixed in the latest dind release, and we will upgrade once a patch is available. | -| [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | sourcegraph/dind | High | 0 | info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. | +| [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | sourcegraph/dind | High | 0 | info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. |