Skip to content
This repository has been archived by the owner on Jul 2, 2024. It is now read-only.

CVEs for release 5.3.2 #8691

Merged
merged 4 commits into from
Mar 8, 2024
Merged

CVEs for release 5.3.2 #8691

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c544276
Create 5-3-2.md
mohammadualam Mar 8, 2024
4fe3e33
Update index.md
mohammadualam Mar 8, 2024
29cdd6b
Update 5-3-2.md
mohammadualam Mar 8, 2024
21515b3
squash! Prettier
mohammadualam Mar 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions content/departments/security/tooling/trivy/5-3-2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Accepted CVEs for Sourcegraph 5.3.2

| CVE ID | Affected Images | CVE Severity | CVSS Base Score | [Sourcegraph Assessment](../../../engineering/dev/policies/vulnerability-management-policy.md#severity-levels) | CVSS Environmental Score | Details |
| ------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | --------------- | -------------------------------------------------------------------------------------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325) | sourcegraph/dind | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. |
| [GHSA-M425-MQ94-257G](https://github.com/grpc/grpc-go) | sourcegraph/dind, sourcegraph/executor, sourcegraph/bundled-executor, sourcegraph/executor, sourcegraph/bundled-executor, sourcegraph/dind, caddy, sourcegraph/executor-kubernetes | High | 7.5 | Medium | 4.7 | The services that are vulnerable to this issue are typically not exposed on the internet. The likelihood of exploitation is low and this does not have a significant impact on the security of the instance. The issue is not present in Sourcegraph itself. |
| [CVE-2023-47108](https://access.redhat.com/security/cve/CVE-2023-47108) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. |
| [CVE-2023-45142](https://access.redhat.com/security/cve/CVE-2023-45142) | sourcegraph/dind | High | 7.5 | Info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. |
| [CVE-2023-7104](https://access.redhat.com/errata/RHSA-2024:0465) | sourcegraph/codeinsights-db, sourcegraph/codeintel-db, sourcegraph/postgres-12-alpine | High | 7.3 | Medium | 4.1 | This is not exploitable over the internet. It would require an actor to write very specific SQLITE queries which is not possible in the default configuration. |
| [CVE-2024-23652](https://access.redhat.com/security/cve/CVE-2024-23652) | sourcegraph/dind | Critical | 7.4 | Info | 0 | We are not vulnerable for this issue as it requires access to our underlying infrastructure for exploitation. An actor cannot use this to gain access to our instances. |
| [CVE-2024-23653](https://access.redhat.com/security/cve/CVE-2024-23653) | sourcegraph/dind | Critical | 9.8 | Info | 0 | We are not vulnerable for this issue as it requires access to our underlying infrastructure for exploitation. An actor cannot use this to gain access to our instances. |
| [CVE-2024-23651](https://access.redhat.com/security/cve/CVE-2024-23651) | sourcegraph/dind | High | 7.4 | Info | 0 | We are not vulnerable for this issue as it requires access to our underlying infrastructure for exploitation. An actor cannot use this to gain access to our instances. |
| [CVE-2024-21626](http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html) | sourcegraph/dind | High | 8.6 | High | 8.6 | Dind is used for Kubernetes executors and is not part of the standard deployment. This issue is not fixed in the latest dind release, and we will upgrade once a patch is available. |
| [CVE-2023-5363](http://www.openwall.com/lists/oss-security/2023/10/24/1) | sourcegraph/dind | High | 0 | info | 0 | This workload is not exposed and cannot be reached over the internet. This image is not part of standard deployments. |
1 change: 1 addition & 0 deletions content/departments/security/tooling/trivy/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ or that we have accepted as low risk. You can find more details about these belo

### 5.3

- [5.3.2](./5-3-2.md)
- [5.3.1](./5-3-1.md)
- [5.3.0](./5-3-0.md)

Expand Down
Loading