Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-8986

Опубликовано: 19 сент. 2024
Источник: redhat
CVSS3: 5.5

Описание

The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running git remote get-url origin. If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.

A flaw was found in grafana-plugin-sdk-go package. The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running git remote get-url origin. If credentials are included in the repository URI, for example, to allow for fetching of private dependencies, the final binary will contain the full URI, including said credentials.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/acm-grafana-rhel8Fix deferred
Red Hat Ceph Storage 5rhceph/rhceph-5-dashboard-rhel8Out of support scope
Red Hat Ceph Storage 6rhceph/rhceph-6-dashboard-rhel9Out of support scope
Red Hat Ceph Storage 7rhceph/grafana-rhel9Out of support scope
Red Hat Enterprise Linux 8grafanaWill not fix
Red Hat Enterprise Linux 8grafana-pcpWill not fix
Red Hat Enterprise Linux 9grafanaWill not fix
Red Hat Enterprise Linux 9grafana-pcpWill not fix

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-522
https://bugzilla.redhat.com/show_bug.cgi?id=2313511grafana-plugin-sdk-go: Information Leakage in grafana-plugin-sdk-go

5.5 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2024-8986

nvd
9 месяцев назад

The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`. If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.

github логотип

GHSA-xxxw-3j6h-q7h6

CVSS3: 5.9
github
9 месяцев назад

Grafana plugin SDK Information Leakage

fstec логотип

BDU:2024-07373

CVSS3: 8.6
fstec
9 месяцев назад

Уязвимость SDK-плагина платформы для мониторинга и наблюдения Grafana, связанная с передачей токенов аутентификации некоторым целевым плагинам, позволяющая нарушителю получить доступ к учётным данным репозитория

5.5 Medium

CVSS3