CVE-2024-8986

The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`. If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.

CVSS

No CVSS.

References

Link	Resource
https://grafana.com/security/security-advisories/cve-2024-8986/

Configurations

No configuration.

History

No history.

Information

Published : 2024-09-19 11:15

Updated : 2024-09-20 12:30

NVD link : CVE-2024-8986

Mitre link : CVE-2024-8986

CVE.ORG link : CVE-2024-8986

JSON object : View

Products Affected

No product.

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2024-8986", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@grafana.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "USER", "baseScore": 9.1, "automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "HIGH", "vulnerableSystemIntegrity": "NONE", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "LOW", "subsequentSystemAvailability": "HIGH", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "HIGH", "vulnerableSystemConfidentiality": "HIGH", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-09-19T11:15:10.913", "references": [{"url": "https://grafana.com/security/security-advisories/cve-2024-8986/", "source": "security@grafana.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security@grafana.com", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`.\n \nIf credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials."}, {"lang": "es", "value": "El SDK del complemento Grafana incluye metadatos de compilaci\u00f3n en los binarios que compila; estos metadatos incluyen el URI del repositorio para el complemento que se est\u00e1 compilando, tal como se obtiene al ejecutar `git remote get-url origin`. Si se incluyen credenciales en el URI del repositorio (por ejemplo, para permitir la obtenci\u00f3n de dependencias privadas), el binario final contendr\u00e1 el URI completo, incluidas dichas credenciales."}], "lastModified": "2024-09-20T12:30:17.483", "sourceIdentifier": "security@grafana.com"}

CVE-2024-8986

JSON object

Attach tags to CVE-2024-8986

Attach tags to `CVE-2024-8986`