CVE-2021-23214 | sourcegraph/server | High | Info | Some vulnerability scanners fingerprint this image as containing PostgreSQL 12.9, while the image actually contains 12.10. This finding is a false positive. |
CVE-2021-32027 | sourcegraph/server | High | Info | Some vulnerability scanners fingerprint this image as containing PostgreSQL 12.7, while the image actually contains 12.10. This finding is a false positive. |
CVE-2021-33194 | sourcegraph/grafana, sourcegraph/cadvisor, sourcegraph/server | High | Low | The CVE affects HTML parsers, specifically the ParseFragment function. The affected dependencies don’t use the function nor import the library. |
CVE-2021-38561 | sourcegraph/grafana, sourcegraph/cadvisor, sourcegraph/server | High | Info | The CVE affects application parsing language tag using the affected library. Neither of the Sourcegraph dependencies use x/text to parse arbitrary language tags. |
CVE-2021-44716 | sourcegraph/grafana, sourcegraph/cadvisor, sourcegraph/server | High | Low | In certain conditions, the monitoring functionality packaged with Sourcegraph (Grafana and cAdvisor) could be rendered temporarily inoperable via specially crafted HTTP/2 requests. Exploiting this vulnerability requires administrator-level access, and does not affect the core Sourcegraph functionality. Sourcegraph does not consider this issue a viable security threat to the product. |
CVE-2022-1552 | sourcegraph/server | High | Info | The vulnerability affects Postgres servers with multiple users where one user can bypass authorization controls and execute commands under a superuser identity. Sourcegraph runs Postgres with only the sg user, making the application not affected by this vulnerability. |
CVE-2022-2625 | sourcegraph/server | High | Info | Sourcegraph’s default permissions model means it is not vulnerable to this issue. |
CVE-2022-2795 | sourcegraph/frontend, sourcegraph/gitserver, sourcegraph/jaeger-all-in-one, sourcegraph/migrator, sourcegraph/postgres_exporter, sourcegraph/worker, sourcegraph/jaeger-agent, sourcegraph/repo-updater, sourcegraph/searcher, sourcegraph/syntax-highlighter, sourcegraph/github-proxy, sourcegraph/precise-code-intel-worker, sourcegraph/opentelemetry-collector | High | Info | A dependency bundled with Sourcegraph is vulnerable to denial of service attacks when configured in a specific way. Sourcegraph does not use this dependency in a way that renders it vulnerable to this issue. |
CVE-2022-2881 | sourcegraph/frontend, sourcegraph/gitserver, sourcegraph/jaeger-all-in-one, sourcegraph/migrator, sourcegraph/postgres_exporter, sourcegraph/worker, sourcegraph/jaeger-agent, sourcegraph/repo-updater, sourcegraph/searcher, sourcegraph/syntax-highlighter, sourcegraph/github-proxy, sourcegraph/precise-code-intel-worker, sourcegraph/opentelemetry-collector | High | Info | Some scanners incorrectly report our images as affected by this CVE – we are running a version of the affected software (9.16) that is not affected by this issue. |
CVE-2022-2906 | sourcegraph/frontend, sourcegraph/gitserver, sourcegraph/jaeger-all-in-one, sourcegraph/migrator, sourcegraph/postgres_exporter, sourcegraph/worker, sourcegraph/jaeger-agent, sourcegraph/repo-updater, sourcegraph/searcher, sourcegraph/syntax-highlighter, sourcegraph/github-proxy, sourcegraph/precise-code-intel-worker, sourcegraph/opentelemetry-collector | High | Info | Some scanners incorrectly report our images as affected by this CVE – we are running a version of the affected software (9.16) that is not affected by this issue. |
CVE-2022-3080 | sourcegraph/frontend, sourcegraph/gitserver, sourcegraph/jaeger-all-in-one, sourcegraph/migrator, sourcegraph/postgres_exporter, sourcegraph/worker, sourcegraph/jaeger-agent, sourcegraph/repo-updater, sourcegraph/searcher, sourcegraph/syntax-highlighter, sourcegraph/github-proxy, sourcegraph/precise-code-intel-worker, sourcegraph/opentelemetry-collector | High | Info | A dependency bundled with Sourcegraph is vulnerable to denial of service attacks when configured in a specific way. Sourcegraph does not use this dependency in a way that renders it vulnerable to this issue. |
CVE-2022-21698 | sourcegraph/cadvisor, sourcegraph/grafana, sourcegraph/postgres_exporter, sourcegraph/server | High | Low | The vulnerability affects several third party images shipped with Sourcegraph. However, it doesn’t affect Sourcegraph services dirtectly and the third party services are not exposed via HTTP. Sourcegraph is not vulnerable to this vulnerability. |
CVE-2022-27191 | caddy, sourcegraph/grafana, sourcegraph/prometheus, sourcegraph/server | High | Info | This vulnerability impacts SSH servers using the affected dependency. None of the affected images have ssh servers, much less using the dependency. Sourcegraph is not affected by this issue. |
CVE-2022-27664 | sourcegraph/cadvisor, sourcegraph/prometheus, sourcegraph/grafana, sourcegraph/jaeger-all-in-one, sourcegraph/minio, sourcegraph/indexed-searcher, sourcegraph/server, caddy, sourcegraph/jaeger-agent, sourcegraph/search-indexer | High | Low | This is a denial of service vulnerability that could affect the availability of Sourcegraph services in specific situations. As Sourcegraph is run as an internal service, our assessment of the severity of this issue is Low. |
CVE-2022-37315 | sourcegraph/frontend, sourcegraph/gitserver, sourcegraph/migrator, sourcegraph/precise-code-intel-worker, sourcegraph/repo-updater, sourcegraph/searcher, sourcegraph/server, sourcegraph/sg, sourcegraph/symbols, sourcegraph/worker | High | Info | This issue does not affect our GraphQL API. Users are only allowed to fully control GraphQL requests through the API console, which properly sanitizes the queries. |
CVE-2022-38177 | sourcegraph/frontend, sourcegraph/gitserver, sourcegraph/jaeger-all-in-one, sourcegraph/migrator, sourcegraph/postgres_exporter, sourcegraph/worker, sourcegraph/jaeger-agent, sourcegraph/repo-updater, sourcegraph/searcher, sourcegraph/syntax-highlighter, sourcegraph/github-proxy, sourcegraph/precise-code-intel-worker, sourcegraph/opentelemetry-collector | High | Info | A dependency bundled with Sourcegraph is vulnerable to denial of service attacks when configured in a specific way. Sourcegraph does not use this dependency in a way that renders it vulnerable to this issue. |
CVE-2022-38178 | sourcegraph/frontend, sourcegraph/gitserver, sourcegraph/jaeger-all-in-one, sourcegraph/migrator, sourcegraph/postgres_exporter, sourcegraph/worker, sourcegraph/jaeger-agent, sourcegraph/repo-updater, sourcegraph/searcher, sourcegraph/syntax-highlighter, sourcegraph/github-proxy, sourcegraph/precise-code-intel-worker, sourcegraph/opentelemetry-collector | High | Info | A dependency bundled with Sourcegraph is vulnerable to denial of service attacks when configured in a specific way. Sourcegraph does not use this dependency in a way that renders it vulnerable to this issue. |
CVE-2022-40674 | sourcegraph/cadvisor, sourcegraph/search-indexer | High | Info | This vulnerability affects a dependency of cAdvisor. cAdvisor itself does not use the vulnerable functionality, and is therefore not affected by the issue. It also affects our search-indexer image but Zoekt does not parse XML thus not being vulnerable to the issue. |
CVE-2021-43565 | sourcegraph/server, sourcegraph/prometheus, sourcegraph/grafana | High | Info | This vulnerability is reported in dependencies included by Sourcegraph. Sourcegraph itself doesn’t use the vulnerable functionality, and is therefore not affected by the issue. |
CVE-2022-37434 | caddy | High | Low | This vulnerability affects zlib, specifically the inflateGetHeader function. We use caddy as a reverse proxy and it does not process compressed files for Sourceraph. There is also no indication that caddy is vulnerable at all, similarly to NodeJS for the same vulnerability. |