The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components. References: https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609 https://github.com/PrismJS/prism/issues/2583 https://github.com/PrismJS/prism/pull/2584 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076582 https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581
Upstream fix: https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609
The OCP grafana-container is read-only and behind OpenShift OAuth, hence it has been marked Low and wontfix. The OSSM servicemesh-grafana rpm is also installed by default behind OpenShift OAuth, however it is not read-only. Where the syntax highlighting could occur is very limited, that and even if we could find a vulnerable location the vulnerability would be limited to impacting the current user - aka DoS's oneself. If a query or such was vulnerable, a potential attacker would still need to be able to save the malicious query, then somehow get a victim to edit and view the syntax. With the impact potentially limited to the user's client session - i.e. the user visits the 'malicious' syntax displayed, causes the browser tab (depending on browser) to freeze it gets closed move on. Hence OSSM has also been marked Low/wontfix.
Statement: OpenShift Container Platform (OCP) and Red Hat Ceph Storage (RHCS) 3 and 4 grafana-container does package a vulnerable verison of prismjs. However due to the instance being read only and behind OpenShift OAuth, it has been given a Low impact. Additionally it has been marked as wont-fix at this time and may be fixed in a future release. OpenShift ServiceMesh (OSSM) ncludes a vulnerable version of prismjs. Due to the component being behind OpenShift OAuth and the vulnerability itself being limited to the syntax highlighting within grafana, it has been given a Low impact. The OSSM servicemesh-grafana component has been marked as wont-fix at this time and may be fixed in a future release. Red Hat Ceph Storage RHCS 3 and 4 grafana includes a vulnerable version of prismjs, however, due to the vulnerability itself being limited to the syntax highlighting within grafana, it has been given a Low impact. RHCS 3 and 4 have been marked as wont-fix at this time and may be fixed in a future release.