Information Disclosure - Suspicious Comments

Grafana
1

I have run Zap scanning tool on my Grafana Project. we are using grafana 6.7.3 version.
Zap has reported Information Disclosure - Suspicious Comments alert. Below is detail of Alert -

Informational (Low) Information Disclosure - Suspicious Comments
Description The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.
URL http://<IpAdress>/public/build/moment~app.6e0e26a4129f9f25ab6d.js
Method GET
URL http://<IpAdress>/login
Method GET
URL http://<IpAdress>/public/build/DataSourcesListPage.6e0e26a4129f9f25ab6d.js
Method GET
URL http://<IpAdress>/public/build/UsersListPage.6e0e26a4129f9f25ab6d.js
Method GET
URL http://<IpAdress>/public/build/angular~app.6e0e26a4129f9f25ab6d.js
Method GET
URL http://<IpAdress>/public/build/app.6e0e26a4129f9f25ab6d.js
Method GET
URL http://<IpAdress>/public/build/DashboardPage.6e0e26a4129f9f25ab6d.js
Method GET
URL http://<IpAdress>/public/build/UserInvitePage.6e0e26a4129f9f25ab6d.js
Method GET
URL http://<IpAdress>/public/build/default~DashboardPage~SoloPanelPage~explore.6e0e26a4129f9f25ab6d.js
Method GET
URL http://<IpAdress>/public/build/vendors~app.6e0e26a4129f9f25ab6d.js
Method GET
URL http://<IpAdress>/public/build/default~DashboardPage~SoloPanelPage.6e0e26a4129f9f25ab6d.js
Method GET
URL http://<IpAdress>/public/build/TeamList.6e0e26a4129f9f25ab6d.js
Method GET
URL http://<IpAdress>/public/build/default~lokiPlugin~prometheusPlugin.6e0e26a4129f9f25ab6d.js
Method GET
URL http://<IpAdress>/public/build/UserCreatePage.6e0e26a4129f9f25ab6d.js
Method GET
URL http://<IpAdress>/public/build/prometheusPlugin.6e0e26a4129f9f25ab6d.js
Method GET

Could you please let me know the resolution for the same.

Regards,
Abhimanyu

2

I have run Zap scanning tool on my Grafana Project. we are using grafana
6.7.3 version. Zap has reported Information Disclosure - Suspicious
Comments alert. Below is detail of Alert -

“Suspicious Comments” is all very well, but does this represent a
vulnerability?

Could you please let me know the resolution for the same.

A resolution for what? What is the problem you are reporting? What do you
believe needs changing?

Antony.

3

Solution for vulnerability

4

So, what is the vulnerability?

Antony.

5

Hello

Information disclosure , it seems to be a vulnerability under Sensitive Data Exposure

what do you believe, is it false positive reported by Zap scanning tool ?

Regards,
Abhimanyu

6

Form what I understand the tool is marking the fact that the responses contain IpAdress as a vulnerability.

Not giving your server an IpAdress would indeed make it more secure, but useless.

tl;dr: the responses having placeholders for IP addresses or hostnames is not a vulnerability.

7

How to solve this error? The response appears to contain suspicious comments which may help an attacker. Note: Matches made within script blocks or files are against the entire content not only comments.