Fix CVE-2024-53382 - PrismJS - Grafana - plugins/datasource

[rgoltz]

Why is this needed:

Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.

This issue is assinged to CVE-2024-53382. Following a current scan of the Docker-Image, Grafana is using this package.

Details from Image-Scan

Package Name	prismjs
Vulnerability ID	https://nvd.nist.gov/vuln/detail/CVE-2024-53382
OSV Advisory Link	https://osv.dev/vulnerability/GHSA-x7hr-w5r2-h6wg
Severity	Medium
Installed version	v1.29.0
Fixed version	tbd
Package Manager	NODE
File paths	/usr/share/grafana/public/app/plugins/datasource/azuremonitor/package.json /usr/share/grafana/public/app/plugins/datasource/cloud-monitoring/package.json /usr/share/grafana/public/app/plugins/datasource/grafana-pyroscope-datasource/package.json /usr/share/grafana/public/app/plugins/datasource/tempo/package.json
Affected Code in PrismJS	https://github.com/PrismJS/prism/blob/59e5a3471377057de1f401ba38337aca27b80e03/prism.js#L226-L259

Who is this feature for?
For security and secure operation of Grafana. We should wait for a fix or mitigation and track this progress (at prismjs) here. May we should create a PR, after a fixed version is available. In case Grafana is not affected of this XSS issue, a short statement would help users here as well.

References

• GHSA-x7hr-w5r2-h6wg
• CVE-2024-53382 security issue PrismJS/prism#3864
• check that currentScript is set by a script tag PrismJS/prism#3863

[simonc6372]

Hi @rgoltz
Thanks for taking the time to report the issue. We're aware of this CVE from our internal scanning, and when there's a fix version published we will bump the dependencies. Due to the apparent lack of recent activity in the Prism project and therefore potentially long time for a fix to be released, we'll be taking a look at the impact on Grafana, and act accordingly.

For future security issues, (even if they are detectable with public information like this one) could you please report it via the instructions on the security tab, which you can also reach when you select "Report a security" issue from the New Issues menu.

[rgoltz]

Hello @simonc6372 and @adrapereira 

The new release of PrismJS 1.30.0 has been released: https://github.com/PrismJS/prism/releases/tag/v1.30.0 - Following the changelog, it's covering the CVE issue.

Furthermore, your Bots also working at night and already created PRs:

• Bump prismjs from 1.29.0 to 1.30.0 #101914
• Update dependency prismjs to v1.30.0 [SECURITY] #101915

:-)