search

golang / vulndb

[mirror] The Go Vulnerability Database
Other
565 stars 61 forks source link

x/vulndb: potential Go vuln in github.com/grafana/agent: GHSA-m5gv-m5f9-wgv4 #3170

Closed GoVulnBot closed 1 month ago

GoVulnBot commented 2 months ago

Advisory GHSA-m5gv-m5f9-wgv4 references a vulnerability in the following Go modules:

Module
github.com/grafana/agent

Description: Unquoted Search Path or Element vulnerability in Grafana Agent (Flow mode) on Windows allows Privilege Escalation from Local User to SYSTEM. This issue affects Agent Flow before 0.43.3.

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/grafana/agent
      versions:
        - fixed: 0.43.3
      vulnerable_at: 0.43.2
summary: |-
    Grafana Agent (Flow mode) on Windows has Unquoted Search Path or Element
    vulnerability in github.com/grafana/agent
cves:
    - CVE-2024-8996
ghsas:
    - GHSA-m5gv-m5f9-wgv4
references:
    - advisory: https://github.com/advisories/GHSA-m5gv-m5f9-wgv4
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-8996
    - fix: https://github.com/grafana/agent/commit/91bab2c05906938d3f8e1e3c61a863f037985299
    - web: https://github.com/grafana/agent/releases/tag/v0.43.2
    - web: https://github.com/grafana/agent/releases/tag/v0.43.3
    - web: https://grafana.com/blog/2024/09/25/grafana-alloy-and-grafana-agent-flow-security-release-high-severity-fix-for-cve-2024-8975-and-cve-2024-8996
    - web: https://grafana.com/security/security-advisories/cve-2024-8996
source:
    id: GHSA-m5gv-m5f9-wgv4
    created: 2024-10-01T23:01:17.437979561Z
review_status: UNREVIEWED
gopherbot commented 1 month ago

Change https://go.dev/cl/619135 mentions this issue: data/reports: add 15 reports