CVE-2024-8975

Published: Sep 25, 2024Modified: Dec 26, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1.

Affected (3)

Products: Grafana: Alloy

Grafana

1 product

Alloy

Configuration A

3 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Grafana Alloy	Before 1.3.3
Grafana Alloy	Version 1.4.0 rc0
Grafana Alloy	Version 1.4.0 rc1

Running on/with	Platform Versions
Microsoft Windows	All versions

Related CWEs

CWE-428

Unquoted Search Path or Element

The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.

References (4)

https://github.com/grafana/alloy/releases/tag/v1.3.4

Source: security@grafana.com

Release Notes

https://github.com/grafana/alloy/releases/tag/v1.4.1

Source: security@grafana.com

Release Notes

https://grafana.com/blog/2024/09/25/grafana-alloy-and-grafana-agent-flow-security-release-high-severity-fix-for-cve-2024-8975-and-cve-2024-8996/

Source: security@grafana.com

Vendor Advisory

https://grafana.com/security/security-advisories/cve-2024-8975/

Source: security@grafana.com

Vendor Advisory

Timeline

No history available yet.