data/reports/GO-2024-3140.yaml - vulndb - Git at Google

 id: GO-2024-3140
 modules:
     - module: github.com/grafana/grafana-plugin-sdk-go
       versions:
         - fixed: 0.250.0
       vulnerable_at: 0.249.0
       packages:
         - package: github.com/grafana/grafana-plugin-sdk-go/build
           symbols:
             - Info.appendFlags
             - getEnvironment
             - getBuildInfoFromEnvironment
             - getBuildBackendCmdInfo
           derived_symbols:
             - Build.Backend
             - Build.Darwin
             - Build.DarwinARM64
             - Build.Debug
             - Build.DebugDarwinAMD64
             - Build.DebugDarwinARM64
             - Build.DebugLinuxAMD64
             - Build.DebugLinuxARM64
             - Build.DebugWindowsAMD64
             - Build.Linux
             - Build.LinuxARM
             - Build.LinuxARM64
             - Build.Windows
 summary: |-
     Grafana plugin SDK Information Leakage in
     github.com/grafana/grafana-plugin-sdk-go
 description: |-
     The grafana plugin SDK bundles build metadata into the binaries it compiles;
     this metadata includes the repository URI for the plugin being built, as
     retrieved by running "git remote get-url origin".

     If credentials are included in the repository URI (for instance, to allow for
     fetching of private dependencies), the final binary will contain the full URI,
     including said credentials.
 cves:
     - CVE-2024-8986
 ghsas:
     - GHSA-xxxw-3j6h-q7h6
 references:
     - advisory: https://github.com/advisories/GHSA-xxxw-3j6h-q7h6
     - fix: https://github.com/grafana/grafana-plugin-sdk-go/commit/aaa26d1bebaaf6160c37d3f1226a750eab70ca41
     - web: https://grafana.com/security/security-advisories/cve-2024-8986
 source:
     id: GHSA-xxxw-3j6h-q7h6
     created: 2024-12-11T14:44:16.467308-05:00
 review_status: REVIEWED
	id: GO-2024-3140
	modules:
	- module: github.com/grafana/grafana-plugin-sdk-go
	versions:
	- fixed: 0.250.0
	vulnerable_at: 0.249.0
	packages:
	- package: github.com/grafana/grafana-plugin-sdk-go/build
	symbols:
	- Info.appendFlags
	- getEnvironment
	- getBuildInfoFromEnvironment
	- getBuildBackendCmdInfo
	derived_symbols:
	- Build.Backend
	- Build.Darwin
	- Build.DarwinARM64
	- Build.Debug
	- Build.DebugDarwinAMD64
	- Build.DebugDarwinARM64
	- Build.DebugLinuxAMD64
	- Build.DebugLinuxARM64
	- Build.DebugWindowsAMD64
	- Build.Linux
	- Build.LinuxARM
	- Build.LinuxARM64
	- Build.Windows
	summary: \|-
	Grafana plugin SDK Information Leakage in
	github.com/grafana/grafana-plugin-sdk-go
	description: \|-
	The grafana plugin SDK bundles build metadata into the binaries it compiles;
	this metadata includes the repository URI for the plugin being built, as
	retrieved by running "git remote get-url origin".

	If credentials are included in the repository URI (for instance, to allow for
	fetching of private dependencies), the final binary will contain the full URI,
	including said credentials.
	cves:
	- CVE-2024-8986
	ghsas:
	- GHSA-xxxw-3j6h-q7h6
	references:
	- advisory: https://github.com/advisories/GHSA-xxxw-3j6h-q7h6
	- fix: https://github.com/grafana/grafana-plugin-sdk-go/commit/aaa26d1bebaaf6160c37d3f1226a750eab70ca41
	- web: https://grafana.com/security/security-advisories/cve-2024-8986
	source:
	id: GHSA-xxxw-3j6h-q7h6
	created: 2024-12-11T14:44:16.467308-05:00
	review_status: REVIEWED