CVEs issue in Grafana/Oncall:v1.5.2 #5502
Description
What went wrong?
What happened:
A vulnerability scan on Oncall v1.15.2 revealed several high-severity issues (CVSS > 7). We hope these can be addressed and a new version can be released soon.
| Packages | Source Package | Package Version | Package License | CVSS | Fix Status |
|---|---|---|---|---|---|
| postgresql16-dev,libpq-dev,libpq,libecpg-dev,libecpg | postgresql16 | 16.3-r0 | PostgreSQL | 8.8 | fixed in 16.5-r0 |
| python3-pycache-pyc0,python3-dev,python3 | python3 | 3.12.6-r0 | PSF-2.0 | 7.8 | fixed in 3.12.8-r0 |
| libxml2 | 2.12.7-r0 | MIT | 7.5 | fixed in 2.12.7-r2 | |
| binutils | 2.42-r0 | GPL-2.0-or-later AND LGPL-2.1-or-later AND BSD-3-Clause | 7.5 | fixed in 2.42-r1 | |
| postgresql16-dev,libpq-dev,libpq,libecpg-dev,libecpg | postgresql16 | 16.3-r0 | PostgreSQL | 5.4 | fixed in 16.5-r0 |
| django | 4.2.19 | BSD-3-Clause | 5 | fixed in 5.1.7, 5.0.13, 4.2.20 | |
| postgresql16-dev,libpq-dev,libpq,libecpg-dev,libecpg | postgresql16 | 16.3-r0 | PostgreSQL | 4.2 | fixed in 16.5-r0 |
| postgresql16-dev,libpq-dev,libpq,libecpg-dev,libecpg | postgresql16 | 16.3-r0 | PostgreSQL | 3.7 | fixed in 16.5-r0 |
What did you expect to happen:
- Hope those CVEs can be fixed in new version.
How do we reproduce it?
- Open Grafana OnCall and do X
- Now click button Y
- Wait for the browser to crash. Error message says: "Error..."
Grafana OnCall Version
v1.15.2
Product Area
Other
Grafana OnCall Platform?
None
User's Browser?
No response
Anything else to add?
No response