{"schema_version":"1.3.1","id":"GO-2024-3140","modified":"2024-12-12T15:46:32Z","published":"2024-11-20T17:22:48Z","aliases":["CVE-2024-8986","GHSA-xxxw-3j6h-q7h6"],"summary":"Grafana plugin SDK Information Leakage in github.com/grafana/grafana-plugin-sdk-go","details":"The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running \"git remote get-url origin\".\n\nIf credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.","affected":[{"package":{"name":"github.com/grafana/grafana-plugin-sdk-go","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.250.0"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/grafana/grafana-plugin-sdk-go/build","symbols":["Build.Backend","Build.Darwin","Build.DarwinARM64","Build.Debug","Build.DebugDarwinAMD64","Build.DebugDarwinARM64","Build.DebugLinuxAMD64","Build.DebugLinuxARM64","Build.DebugWindowsAMD64","Build.Linux","Build.LinuxARM","Build.LinuxARM64","Build.Windows","Info.appendFlags","getBuildBackendCmdInfo","getBuildInfoFromEnvironment","getEnvironment"]}]}}],"references":[{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-xxxw-3j6h-q7h6"},{"type":"FIX","url":"https://github.com/grafana/grafana-plugin-sdk-go/commit/aaa26d1bebaaf6160c37d3f1226a750eab70ca41"},{"type":"WEB","url":"https://grafana.com/security/security-advisories/cve-2024-8986"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2024-3140","review_status":"REVIEWED"}}