Upstream information

CVE-2024-8986 at MITRE

Description

The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`.

If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having critical severity.

CVSS v4 Scores
  CNA (Grafana Labs)
Base Score 9.1
Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required None
User Interaction None
Vulnerable System Confidentiality Impact High
Vulnerable System Integrity Impact None
Vulnerable System Availability Impact None
Subsequent System Confidentiality Impact High
Subsequent System Integrity Impact High
Subsequent System Availability Impact High
CVSSv4 Version 4.0
No SUSE Bugzilla entries cross referenced.

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • govulncheck-vulndb >= 0.0.20241120T172248-1.1
Patchnames:
openSUSE-Tumbleweed-2024-14515


SUSE Timeline for this CVE

CVE page created: Thu Sep 19 14:00:18 2024
CVE page last modified: Fri Nov 29 14:54:40 2024