Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/grafana/grafana-plugin-sdk-go: GHSA-xxxw-3j6h-q7h6 #3140

Open
GoVulnBot opened this issue Sep 19, 2024 · 1 comment

Comments

@GoVulnBot
Copy link

Advisory GHSA-xxxw-3j6h-q7h6 references a vulnerability in the following Go modules:

Module
github.com/grafana/grafana-plugin-sdk-go

Description:
The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running git remote get-url origin.

If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.

References:

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/grafana/grafana-plugin-sdk-go
      non_go_versions:
        - introduced: TODO (earliest fixed "0.250.0", vuln range "<= 0.249.0")
      vulnerable_at: 0.250.0
summary: Grafana plugin SDK Information Leakage in github.com/grafana/grafana-plugin-sdk-go
cves:
    - CVE-2024-8986
ghsas:
    - GHSA-xxxw-3j6h-q7h6
references:
    - advisory: https://github.com/advisories/GHSA-xxxw-3j6h-q7h6
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8986
    - fix: https://github.com/grafana/grafana-plugin-sdk-go/commit/aaa26d1bebaaf6160c37d3f1226a750eab70ca41
    - web: https://grafana.com/security/security-advisories/cve-2024-8986
source:
    id: GHSA-xxxw-3j6h-q7h6
    created: 2024-09-19T18:01:17.367722006Z
review_status: UNREVIEWED

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/626158 mentions this issue: data/reports: add 4 NEEDS_REVIEW reports

gopherbot pushed a commit that referenced this issue Nov 20, 2024
  - data/reports/GO-2024-3122.yaml
  - data/reports/GO-2024-3140.yaml
  - data/reports/GO-2024-3259.yaml
  - data/reports/GO-2024-3265.yaml

Updates #3122
Updates #3140
Updates #3259
Updates #3265

Change-Id: I3fb8a3af0ccd59ed8dd5d130889e10601c0a9472
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/626158
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Auto-Submit: Tatiana Bradley <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants