{"id":"GO-2024-3140","summary":"Grafana plugin SDK Information Leakage in github.com/grafana/grafana-plugin-sdk-go","details":"The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running \"git remote get-url origin\".\n\nIf credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.","aliases":["CVE-2024-8986","GHSA-xxxw-3j6h-q7h6"],"modified":"2026-02-04T04:03:43.488817Z","published":"2024-11-20T17:22:48Z","related":["CGA-9gx3-xp87-gxqc"],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2024-3140","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-xxxw-3j6h-q7h6"},{"type":"FIX","url":"https://github.com/grafana/grafana-plugin-sdk-go/commit/aaa26d1bebaaf6160c37d3f1226a750eab70ca41"},{"type":"WEB","url":"https://grafana.com/security/security-advisories/cve-2024-8986"}],"affected":[{"package":{"name":"github.com/grafana/grafana-plugin-sdk-go","ecosystem":"Go","purl":"pkg:golang/github.com/grafana/grafana-plugin-sdk-go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.250.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["Build.Backend","Build.Darwin","Build.DarwinARM64","Build.Debug","Build.DebugDarwinAMD64","Build.DebugDarwinARM64","Build.DebugLinuxAMD64","Build.DebugLinuxARM64","Build.DebugWindowsAMD64","Build.Linux","Build.LinuxARM","Build.LinuxARM64","Build.Windows","Info.appendFlags","getBuildBackendCmdInfo","getBuildInfoFromEnvironment","getEnvironment"],"path":"github.com/grafana/grafana-plugin-sdk-go/build"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2024-3140.json"}}],"schema_version":"1.7.3"}