Vulnerability Report: GO-2024-3140

CVE-2024-8986, GHSA-xxxw-3j6h-q7h6
Affects: github.com/grafana/grafana-plugin-sdk-go
Published: Nov 20, 2024
Modified: Dec 12, 2024

The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running "git remote get-url origin". If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.

For detailed information about this vulnerability, visit https://github.com/advisories/GHSA-xxxw-3j6h-q7h6.

Affected Packages

Path

Go Versions

Symbols
github.com/grafana/grafana-plugin-sdk-go/build

before v0.250.0
13 affected symbols

Aliases

CVE-2024-8986
GHSA-xxxw-3j6h-q7h6

References

https://github.com/advisories/GHSA-xxxw-3j6h-q7h6
https://github.com/grafana/grafana-plugin-sdk-go/commit/aaa26d1bebaaf6160c37d3f1226a750eab70ca41
https://grafana.com/security/security-advisories/cve-2024-8986
https://vuln.go.dev/ID/GO-2024-3140.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL