Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jaHF4LTM2cm0tcmY4aM4AA_x0
Grafana Alloy on Windows has Unquoted Search Path or Element vulnerability
Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM.
This issue affects Alloy: before 1.3.4, from 1.4.0-rc.0 and prior to 1.4.1.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jaHF4LTM2cm0tcmY4aM4AA_x0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 2 months ago
Updated: about 2 months ago
CVSS Score: 7.3
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Percentage: 0.00042
EPSS Percentile: 0.05089
Identifiers: GHSA-chqx-36rm-rf8h, CVE-2024-8975
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-8975
- https://github.com/grafana/alloy/releases/tag/v1.4.0
- https://grafana.com/blog/2024/09/25/grafana-alloy-and-grafana-agent-flow-security-release-high-severity-fix-for-cve-2024-8975-and-cve-2024-8996
- https://grafana.com/security/security-advisories/cve-2024-8975
- https://github.com/grafana/alloy/releases/tag/v1.3.4
- https://github.com/grafana/alloy/releases/tag/v1.4.1
- https://github.com/grafana/alloy/commit/88e779887690954c009503598a3f4bf563cb6596
- https://github.com/grafana/alloy/commit/f14249012fd970d3fd73604e6fff9b6c7990a9bb
- https://pkg.go.dev/vuln/GO-2024-3168
- https://github.com/advisories/GHSA-chqx-36rm-rf8h
Blast Radius: 1.0
Affected Packages
go:github.com/grafana/alloy
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: >= 1.4.0-rc.0, < 1.4.1, < 1.3.4
Fixed in: 1.4.1, 1.3.4
All affected versions: 1.0.0, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.4.0-rc.0, 1.4.0-rc.1, 1.4.0-rc.2, 1.4.0-rc.3
All unaffected versions: 1.3.4, 1.4.1, 1.4.2, 1.4.3, 1.5.0