Hi Team, using the grafana-V10.3.1(tried V10.4.2 and V11.0.0), and I do see the security vulnerabilities are being reported, related to the Angular js libraries, and CVE numbers are as below.
Issue1: CVE-2024-21490
Issue2: CVE-2022-25844
Issue3: CVE-2023-22467
So, I tried to remove the angular js libs, which are causing for these issues, then the grafana UI is broken, its not loading the grafana dashboards home page.
So, how can I mitigate these issues ? any suggestions, pointers on this is great help.
Thanks in advance.
I’m not familiar with those particular CVEs and how they connect to Grafana - but yeah I would expect Grafana to break in unexpected ways if the mitigation strategy is to remove angular libraries.
Angular is deprecated in Grafana for some time; if you upgrade to the most recent Grafana 11, the best approach forward is likely not to install/use angular based plugins.
Any detail you want to add on how you scanned this, or if you have requirements for those angular plugins (which) would be useful to add to this thread.
1 Like
Hi David,
Currently I am using Grafana version - v10.3.1-b2.0(00a22ff8b2) community edition.
Below are the files reported as vulnerabilities from the js libraries.
-Below one is related to ua-parser-js library
usr/share/grafana/public/build/7029.078fb2f7f400340a67a2.js - CVE-2022-25927
-Below one is related to Luxon librariesLuxon
usr/share/grafana/public/build/visjs-network.f2f32b766eaac5c87526.js - CVE-2023-22467
-Below 4 are related to Angular libraries
usr/share/grafana/public/build/7628.9cbb2e9333486ad30b93.js - CVE-2024-21490
usr/share/grafana/public/build/7628.9cbb2e9333486ad30b93.js - CVE-2022-25844
usr/share/grafana/public/build/5888.2cefe2ada56cdc23794c.js - CVE-2024-21490
usr/share/grafana/public/build/5888.2cefe2ada56cdc23794c.js - CVE-2022-25844
I have not installed any additional/custom plugins. I am only using the default plugins/features. I don’t see any plugins under any of the plugins directories of the grafana image/container.
I also verified the same in grafana-11 as well, the same files are being reported still, with High CVE-7.5.
when can I expect fix for these issues? or if there is any solution available already, can you please share the same, to address these issues.
Thank you.
Hi Team, any pointers on the above issues, is a great help.
Thank you.
1 Like
Hi @rambabupasini sorry I’m so late in getting back to you. I spoke with our internal security team, and we maintain a dashboard internally of the various CVEs and our stance on them. What I can share at this point is how we’ve got a few of them marked:
CVE-2024-21490 - Marked as won’t fix/deprecated
CVE-2022-25844 - Marked as won’t fix/deprecated
CVE-2024-21490 - Marked as won’t fix/deprecated
CVE-2022-25844 - Marked as won’t fix/deprecated
The reason this is the outcome is because of our deprecation announcement about Grafana, and the intention to remove it in G12. Full details on that can be found here:
This includes the straightforward statement:
In Grafana 12, support for AngularJS will be completely removed alongside the config parameter toggle.
Hi @davidallen5 , thanks for the info provided.
do we have any tentative ETA on the Grafana 12 release.
Thank you.
HI @jangaraj and @davidallen5 ,
Thanks for the info.
can we do any configuration changes, so that those vulnerable js files will not get added to the image ?
@rambabupasini Grafana is open source. Since we’re at the point where we’re saying that these are won’t fix because of angular deprecation, you do always have the option of adjusting the Dockerfile for your local requirements and then building from source. Instructions in the repo.