Mitigating the Angular Vulnerability

Cossy · November 14, 2024, 3:45pm

Dear PrivacyIdea Community,

The following vulnerability has been identified in our deployment of PrivacyIdea(3.8.1) and I was wondering what the recommended mediation is for it. Ive checked the latest version of PrivacyIdea(3.10), and it also appears to include version 1.8 of the Angular package.

Any advice/ideas would be appreciated!

Vulnerability scan shows the following findings on OTP (Medium severity):

https://nvd.nist.gov/vuln/detail/CVE-2024-8372
https://nvd.nist.gov/vuln/detail/CVE-2024-8373

Details:

Location: /opt/privacyidea/venv/lib/python3.8/site-packages/privacyidea/static/package-lock.json

Package: pkg:javascript/angular

Installed version: 1.8.3

Description:

The library angular version 1.8.3 was detected in NPM library manager located at /opt/privacyidea/venv/lib/python3.8/site-packages/privacyidea/static/package-lock.json on line 35 and is vulnerable to CVE-2024-8372, which exists in versions >= 1.3.1, < 1.9.6.

The vulnerability was found in the National Vulnerability Database (NVD) with NVD severity: Medium.

The library is associated with the technology AngularJS.

The vulnerability can be remediated by updating AngularJS to 1.9.6 or higher.

nilsbehlen · November 15, 2024, 1:43pm

Hi, thanks for bringing this up. I do not see that we can do much, since the 1.9.x versions of the old angularjs are paid content by HeroDevs. Obviously, we do not intent to use angularjs forever and have started working on a new webui using the successor angular.
I have done a quick search in the project files and did not find any uses of the function affected by this CVE, so from a first glance privacyidea does not seem affected.

Cossy · November 15, 2024, 2:20pm

Hi Nils,

Thanks for taking the time to reply!

Your comments should be sufficient mitigation for now and we will continue to monitor the website for any developments regarding the replacement webui.

Regards,
Cossy