Grafana OSS Vulnerability - Need Fix For latest v10.4.1

joshica · June 13, 2024, 6:07pm

Looking for the vulnerability fix for the latest OSS v10.4.1 and below are the CVE IDs

CVE ID	Compliance ID	Type	Severity	Packages	Source Package	Package Version
CVE-2023-6992	46	OS	medium	zlib		1.3.1-r0
CVE-2024-25629	46	OS	low	c-ares		1.24.0-r1
CVE-2024-2511	46	OS	low	libssl3,libcrypto3	openssl	3.1.4-r5
CVE-2016-10735	49	javascript	moderate	bootstrap		2.3.2
CVE-2018-14040	49	javascript	moderate	bootstrap		2.3.2
CVE-2018-14042	49	javascript	moderate	bootstrap		2.3.2
CVE-2018-20676	49	javascript	moderate	bootstrap		2.3.2
CVE-2018-20677	49	javascript	moderate	bootstrap		2.3.2
CVE-2024-28180	416	go	moderate	github.com/go-jose/go-jose/v3		v3.0.1
GHSA-3m87-5598-2v4f	416	go	moderate	GitHub - prometheus/prometheus: The Prometheus monitoring system and time series database.		v0.49.0
CVE-2024-28180	416	go	moderate	gopkg.in/square/go-jose.v2		v2.6.0
CVE-2023-45288	416	go	moderate	The Go Programming Language		v0.20.0

pooh · June 13, 2024, 6:36pm

Please can you give details of how this security scan is being performed?

Specifically:

which tool is being used to do the checks?
are you checking what is installed on a server, or how it responds over the
network?
if it’s over a network, do you have adequate / standard firewall rules in
place in between the checker and the Grafana system?

Antony.

Topic		Replies	Views
Grafana Plugin SDK v0.250 fixing CVE-2024-8986 released! Announcements	1	239	September 19, 2024
Security vulnerabilities in latest version of Grafana Grafana api	2	342	August 9, 2023
[Grafana library vulnerability] : Vulnerability in Grafana's Library nodejs #CVE-2024-6485 Grafana alerting , query-help	0	44	January 6, 2025
Release Notes v7.3.x Releases	4	8121	December 20, 2020
Grafana 8.3.1, 8.2.7, 8.1.8 and 8.0.7 Security Update Security Announcements	0	938	December 9, 2021