CVE-2024-8986: Grafana plugin SDK Information Leakage

September 19, 2024 (updated December 12, 2024)

The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running git remote get-url origin.

If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.

References

github.com/advisories/GHSA-xxxw-3j6h-q7h6
github.com/grafana/grafana-plugin-sdk-go
github.com/grafana/grafana-plugin-sdk-go/commit/aaa26d1bebaaf6160c37d3f1226a750eab70ca41
grafana.com/security/security-advisories/cve-2024-8986
nvd.nist.gov/vuln/detail/CVE-2024-8986
pkg.go.dev/vuln/GO-2024-3140

Code Behaviors & Features

Detect and mitigate CVE-2024-8986 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →