From ea0096fbcf5e12c29d667901cd4bfd66e96f6ec7 Mon Sep 17 00:00:00 2001
From: Ryan <accounts+github@ryanwarnock.me>
Date: Tue, 24 Sep 2024 11:40:15 +0800
Subject: [PATCH] Grafana Plugin SDK vuln (#998)

* Grafana Plugin SDK vuln

* Format markdown docs

* fix dum dum url

* Update 20240924001

Remove / from "What is vulnerable" table

---------

Co-authored-by: ryan-aus <ryan-aus@users.noreply.github.com>
Co-authored-by: JadonWill <117053393+JadonWill@users.noreply.github.com>
---
 ...0240924001-Grafana-Plugin-Critical-Vuln.md | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 docs/advisories/20240924001-Grafana-Plugin-Critical-Vuln.md

diff --git a/docs/advisories/20240924001-Grafana-Plugin-Critical-Vuln.md b/docs/advisories/20240924001-Grafana-Plugin-Critical-Vuln.md
new file mode 100644
index 00000000..0734b20a
--- /dev/null
+++ b/docs/advisories/20240924001-Grafana-Plugin-Critical-Vuln.md
@@ -0,0 +1,27 @@
+# Grafana Plugin SDK Information Leakage Vulnerabilty - 20240924001
+
+## Overview
+
+The WA SOC has been made aware of a vulnerability affecting Grafana.
+
+The Grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`. If credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.
+
+## What is vulnerable?
+
+| Product(s) Affected | Version(s)             | CVE                                                            | CVSS | Severity     |
+| ------------------- | ---------------------- | -------------------------------------------------------------- | ---- | ------------ |
+| Grafana Plugin SDK  | all versions <= 0.249.0 | [CVE-2024-8986](https://nvd.nist.gov/vuln/detail/CVE-2024-8986) | 9.1 | **Critical** |
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- <https://grafana.com/security/security-advisories/cve-2024-8986/>
+
+## Additional References
+
+- Security Online: <https://securityonline.info/cve-2024-8986-cvss-9-1-critical-grafana-plugin-sdk-flaw-exposes-sensitive-information/>