Insufficiently Protected Credentials

CVE-2024-8986

High

7.5/10

Summary

The grafana plugin SDK bundles build metadata into the binaries it compiles. This metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`. If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials. This flaw leads to an Insufficiently Protected Credentials vulnerability. This vulnerability affects github.com/grafana/grafana-plugin-sdk-go package versions prior to 0.250.0.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-522 - Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References

Advisory Timeline

Published Sep 19, 2024

Insufficiently Protected Credentials

CVE-2024-8986

Summary

CWE-522 - Insufficiently Protected Credentials

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS