PT-2024-6336 · Grafana · Grafana Plugin Sdk
Published
2024-09-19
·
Updated
2024-11-21
·
CVE-2024-8986
CVSS v4.0
9.1
Critical
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/AU:Y/R:U/RE:L |
Name of the Vulnerable Software and Affected Versions
Grafana Plugin SDK versions prior to 0.250.0
Description
The issue is related to the Grafana Plugin SDK bundling build metadata into the binaries it compiles, which includes the repository URI for the plugin being built. If credentials are included in the repository URI, the final binary will contain the full URI, including said credentials. This could allow a remote attacker to access repository credentials.
Recommendations
For versions prior to 0.250.0, upgrade to version 0.250.0 to fix this issue. As a temporary workaround, consider avoiding the inclusion of credentials in the repository URI to minimize the risk of exploitation. Restrict access to the repository URI to prevent unauthorized access.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Grafana Plugin Sdk