{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8986", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "state": "PUBLISHED", "assignerShortName": "GRAFANA", "dateReserved": "2024-09-18T21:30:03.876Z", "datePublished": "2024-09-19T10:57:01.035Z", "dateUpdated": "2024-09-19T13:38:02.412Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/grafana/grafana-plugin-sdk-go", "defaultStatus": "unaffected", "product": "Grafana Plugin SDK", "vendor": "grafana-plugin-sdk-go", "versions": [{"lessThanOrEqual": "0.249.0", "status": "affected", "version": "0.106.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: transparent;\">The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running </span><span style=\"background-color: transparent;\">`git remote get-url origin</span><span style=\"background-color: transparent;\">`.<br> <br>If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.</span><br>"}], "value": "The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`.\n \nIf credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials."}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV4_0": {"Automatable": "YES", "Recovery": "USER", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 9.1, "baseSeverity": "CRITICAL", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/AU:Y/R:U/RE:L", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2024-09-19T10:57:01.035Z"}, "references": [{"url": "https://grafana.com/security/security-advisories/cve-2024-8986/"}], "source": {"discovery": "UNKNOWN"}, "title": "Information Leakage in grafana-plugin-sdk-go", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-19T13:37:54.186966Z", "id": "CVE-2024-8986", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T13:38:02.412Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8986", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-19T13:37:54.186966Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-19T13:37:59.017Z"}}], "cna": {"title": "Information Leakage in grafana-plugin-sdk-go", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "USER", "baseScore": 9.1, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/AU:Y/R:U/RE:L", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "grafana-plugin-sdk-go", "product": "Grafana Plugin SDK", "versions": [{"status": "affected", "version": "0.106.0", "versionType": "semver", "lessThanOrEqual": "0.249.0"}], "collectionURL": "https://github.com/grafana/grafana-plugin-sdk-go", "defaultStatus": "unaffected"}], "references": [{"url": "https://grafana.com/security/security-advisories/cve-2024-8986/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`.\n \nIf credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: transparent;\">The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running </span><span style=\"background-color: transparent;\">`git remote get-url origin</span><span style=\"background-color: transparent;\">`.<br> <br>If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "shortName": "GRAFANA", "dateUpdated": "2024-09-19T10:57:01.035Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8986", "state": "PUBLISHED", "dateUpdated": "2024-09-19T13:38:02.412Z", "dateReserved": "2024-09-18T21:30:03.876Z", "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da", "datePublished": "2024-09-19T10:57:01.035Z", "assignerShortName": "GRAFANA"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`.\n \nIf credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials."}, {"lang": "es", "value": "El SDK del complemento Grafana incluye metadatos de compilaci\u00f3n en los binarios que compila; estos metadatos incluyen el URI del repositorio para el complemento que se est\u00e1 compilando, tal como se obtiene al ejecutar `git remote get-url origin`. Si se incluyen credenciales en el URI del repositorio (por ejemplo, para permitir la obtenci\u00f3n de dependencias privadas), el binario final contendr\u00e1 el URI completo, incluidas dichas credenciales."}], "id": "CVE-2024-8986", "lastModified": "2024-09-20T12:30:17.483", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "automatable": "YES", "availabilityRequirements": "NOT_DEFINED", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "USER", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "HIGH", "subsequentSystemIntegrity": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:X", "version": "4.0", "vulnerabilityResponseEffort": "LOW", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "NONE"}, "source": "security@grafana.com", "type": "Secondary"}]}, "published": "2024-09-19T11:15:10.913", "references": [{"source": "security@grafana.com", "url": "https://grafana.com/security/security-advisories/cve-2024-8986/"}], "sourceIdentifier": "security@grafana.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "security@grafana.com", "type": "Secondary"}]}

{"bugzilla": {"description": "grafana-plugin-sdk-go: Information Leakage in grafana-plugin-sdk-go", "id": "2313511", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2313511"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-522", "details": ["The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`.\nIf credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.", "A flaw was found in grafana-plugin-sdk-go package. The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`. If credentials are included in the repository URI, for example, to allow for fetching of private dependencies, the final binary will contain the full URI, including said credentials."], "name": "CVE-2024-8986", "package_state": [{"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Fix deferred", "package_name": "rhacm2/acm-grafana-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:5", "fix_state": "Out of support scope", "package_name": "rhceph/rhceph-5-dashboard-rhel8", "product_name": "Red Hat Ceph Storage 5"}, {"cpe": "cpe:/a:redhat:ceph_storage:6", "fix_state": "Out of support scope", "package_name": "rhceph/rhceph-6-dashboard-rhel9", "product_name": "Red Hat Ceph Storage 6"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Out of support scope", "package_name": "rhceph/grafana-rhel9", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Will not fix", "package_name": "grafana-pcp", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "grafana-pcp", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "grafana", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "grafana-pcp", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-09-19T11:15:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-8986\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8986\nhttps://grafana.com/security/security-advisories/cve-2024-8986/"], "threat_severity": "Moderate"}