CVE-2024-8986 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2024-8986

CVE-2024-8986

September 19, 2024

The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`. If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.

Affected Packages

github.com/grafana/grafana-plugin-sdk-go (GO):

Affected version(s) >=v0.0.0-20190923224014-991e5f717917 <v0.250.0

Fix Suggestion:

Update to version v0.250.0

Related Resources (7)

https://github.com/grafana/grafana-plugin-sdk-go

https://grafana.com/security/security-advisories/cve-2024-8986

https://grafana.com/security/security-advisories/cve-2024-8986/

https://github.com/grafana/grafana-plugin-sdk-go/commit/aaa26d1bebaaf6160c37d3f1226a750eab70ca41

https://pkg.go.dev/vuln/GO-2024-3140

https://github.com/advisories/GHSA-xxxw-3j6h-q7h6

https://nvd.nist.gov/vuln/detail/CVE-2024-8986

Do you need more information?

CVSS v4

Base Score:

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

PRESENT

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

NONE

Vulnerable System Availability

NONE

Subsequent System Confidentiality

HIGH

Subsequent System Integrity

HIGH

Subsequent System Availability

HIGH

CVSS v3

Base Score:

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Weakness Type (CWE)

Insufficiently Protected Credentials

CWE-522

EPSS

Base Score:

0.09

Products

Solutions

Resources

Company

Compare

Developer Tools