PT-2024-6558 · Grafana+1 · Grafana Agent+2

Published

2024-09-18

·

Updated

2025-05-21

·

CVE-2024-8975

CVSS v3.1

7.8

High

VectorAV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions: Grafana Alloy versions prior to 1.3.3 Grafana Alloy versions 1.4.0-rc.0 through 1.4.0-rc.1 Grafana Agent (Flow mode) version prior to 0.43.3
Description: The issue is related to an Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows, which allows a local user to escalate privileges to SYSTEM. This vulnerability can be exploited to gain elevated access.
Recommendations: For Grafana Alloy versions prior to 1.3.3, update to version 1.3.3 or later. For Grafana Alloy versions 1.4.0-rc.0 through 1.4.0-rc.1, update to version 1.4.1 or later. For Grafana Agent (Flow mode) version prior to 0.43.3, update to version 0.43.3 or later. As a temporary workaround, consider restricting access to the vulnerable component until a patch is available.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-428

Related Identifiers

BDU:2024-07702
BIT-GRAFANA-ALLOY-2024-8975
CVE-2024-8975
GHSA-CHQX-36RM-RF8H
GHSA-M5GV-M5F9-WGV4
GO-2024-3168
GO-2024-3170
OPENSUSE-SU-2024:0350-1
OPENSUSE-SU-2024:14439-1
OPENSUSE-SU-2024:14447-1
OPENSUSE-SU-2024_3911-1
SUSE-SU-2024:3911-1

Affected Products

Grafana Agent
Grafana Alloy
Suse