Upstream fix: https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609

The OCP grafana-container is read-only and behind OpenShift OAuth, hence it has been marked Low and wontfix.

The OSSM servicemesh-grafana rpm is also installed by default behind OpenShift OAuth, however it is not read-only. Where the syntax highlighting could occur is very limited, that and even if we could find a vulnerable location the vulnerability would be limited to impacting the current user - aka DoS's oneself. If a query or such was vulnerable, a potential attacker would still need to be able to save the malicious query, then somehow get a victim to edit and view the syntax. With the impact potentially limited to the user's client session - i.e. the user visits the 'malicious' syntax displayed, causes the browser tab (depending on browser) to freeze it gets closed move on. Hence OSSM has also been marked Low/wontfix.

Statement:

OpenShift Container Platform (OCP)  and Red Hat Ceph Storage (RHCS) 3 and 4  grafana-container does package a vulnerable verison of prismjs. However due to the instance being read only and behind OpenShift OAuth, it has been given a Low impact. Additionally it has been marked as wont-fix at this time and may be fixed in a future release.

OpenShift ServiceMesh (OSSM)  ncludes a vulnerable version of prismjs. Due to the component being behind OpenShift OAuth and the vulnerability itself being limited to the syntax highlighting within grafana, it has been given a Low impact. The OSSM servicemesh-grafana component has been marked as wont-fix at this time and may be fixed in a future release.

Red Hat Ceph Storage RHCS 3 and 4 grafana  includes a vulnerable version of prismjs, however, due to the vulnerability itself being limited to the syntax highlighting within grafana, it has been given a Low impact.  RHCS 3 and 4  have been marked as wont-fix at this time and may be fixed in a future release.