Security Vulnerability Issue due to angular js Libraries

rambabupasini · May 29, 2024, 12:00pm

Hi Team, using the grafana-V10.3.1(tried V10.4.2 and V11.0.0), and I do see the security vulnerabilities are being reported, related to the Angular js libraries, and CVE numbers are as below.
Issue1: CVE-2024-21490
Issue2: CVE-2022-25844
Issue3: CVE-2023-22467
So, I tried to remove the angular js libs, which are causing for these issues, then the grafana UI is broken, its not loading the grafana dashboards home page.

So, how can I mitigate these issues ? any suggestions, pointers on this is great help.
Thanks in advance.

davidallen5 · May 29, 2024, 2:41pm

I’m not familiar with those particular CVEs and how they connect to Grafana - but yeah I would expect Grafana to break in unexpected ways if the mitigation strategy is to remove angular libraries.

Angular is deprecated in Grafana for some time; if you upgrade to the most recent Grafana 11, the best approach forward is likely not to install/use angular based plugins.

Any detail you want to add on how you scanned this, or if you have requirements for those angular plugins (which) would be useful to add to this thread.

rambabupasini · November 7, 2024, 1:34pm

Hi David,

Currently I am using Grafana version - v10.3.1-b2.0(00a22ff8b2) community edition.

Below are the files reported as vulnerabilities from the js libraries.
-Below one is related to ua-parser-js library
usr/share/grafana/public/build/7029.078fb2f7f400340a67a2.js - CVE-2022-25927

-Below one is related to Luxon librariesLuxon
usr/share/grafana/public/build/visjs-network.f2f32b766eaac5c87526.js - CVE-2023-22467

-Below 4 are related to Angular libraries
usr/share/grafana/public/build/7628.9cbb2e9333486ad30b93.js - CVE-2024-21490
usr/share/grafana/public/build/7628.9cbb2e9333486ad30b93.js - CVE-2022-25844
usr/share/grafana/public/build/5888.2cefe2ada56cdc23794c.js - CVE-2024-21490
usr/share/grafana/public/build/5888.2cefe2ada56cdc23794c.js - CVE-2022-25844

I have not installed any additional/custom plugins. I am only using the default plugins/features. I don’t see any plugins under any of the plugins directories of the grafana image/container.

I also verified the same in grafana-11 as well, the same files are being reported still, with High CVE-7.5.

when can I expect fix for these issues? or if there is any solution available already, can you please share the same, to address these issues.

Thank you.

rambabupasini · November 22, 2024, 8:07am

Hi Team, any pointers on the above issues, is a great help.
Thank you.

Topic		Replies	Views
Grafana 8.2.3 Security Update Security Announcements	0	1254	November 3, 2021
Security vulnerabilities in latest version of Grafana Grafana api	2	335	August 9, 2023
Grafana 5.4.5 and 6.3.4 Security Update Security Announcements	0	6751	August 29, 2019
Grafana 8.3.2, 7.5.12 Security Update Security Announcements	0	1209	December 10, 2021
Changelog: Updates in Grafana 9.3.16 Releases	0	313	June 23, 2023

Security Vulnerability Issue due to angular js Libraries

Related topics