Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Alloy by Grafana

    CVE-2024-8975 (GCVE-0-2024-8975)

    Vulnerability from nvd – Published: 2024-09-25 16:42 – Updated: 2024-09-26 16:22
    VLAI
    Title
    Grafana Alloy on Windows Unquoted service path
    Summary
    Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-428 - Unquoted Search Path or Element
    Assigner
    Impacted products
    Vendor Product Version
    Grafana Alloy Affected: 0 , < 1.3.3 (semver)
    Affected: 1.4.0-rc.0 , ≤ 1.4.0-rc.1 (semver)
    Create a notification for this product.
    grafana alloy Affected: 0 , < 1.3.3 (semver)
    Affected: 1.4.0-rc.0 , ≤ 1.4.0-rc.1 (semver)
        cpe:2.3:a:grafana:alloy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-25 13:40
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:grafana:alloy:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "alloy",
                "vendor": "grafana",
                "versions": [
                  {
                    "lessThan": "1.3.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  },
                  {
                    "lessThanOrEqual": "1.4.0-rc.1",
                    "status": "affected",
                    "version": "1.4.0-rc.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8975",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T17:41:05.326706Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T17:43:08.082Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "Alloy",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "1.3.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "1.4.0-rc.1",
                  "status": "affected",
                  "version": "1.4.0-rc.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2024-09-25T13:40:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM\u003cbr\u003e\u003cp\u003eThis issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM\nThis issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-428",
                  "description": "CWE-428 Unquoted Search Path or Element",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-26T16:22:26.037Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "url": "https://grafana.com/security/security-advisories/cve-2024-8975/"
            },
            {
              "url": "https://grafana.com/blog/2024/09/25/grafana-alloy-and-grafana-agent-flow-security-release-high-severity-fix-for-cve-2024-8975-and-cve-2024-8996/"
            },
            {
              "url": "https://github.com/grafana/alloy/releases/tag/v1.4.1"
            },
            {
              "url": "https://github.com/grafana/alloy/releases/tag/v1.3.4"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Uninstall Alloy, and then perform a clean install with version either 1.3.4 or 1.4.1 or a higher version\u003cbr\u003e"
                }
              ],
              "value": "Uninstall Alloy, and then perform a clean install with version either 1.3.4 or 1.4.1 or a higher version"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Grafana Alloy on Windows Unquoted service path",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Edit the registry to manually \u003cspan style=\"background-color: transparent;\"\u003eadd the double quotes manually to `Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Alloy\\ImagePath`\u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "Edit the registry to manually add the double quotes manually to `Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Alloy\\ImagePath`"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2024-8975",
        "datePublished": "2024-09-25T16:42:09.998Z",
        "dateReserved": "2024-09-18T14:51:37.565Z",
        "dateUpdated": "2024-09-26T16:22:26.037Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8975 (GCVE-0-2024-8975)

    Vulnerability from cvelistv5 – Published: 2024-09-25 16:42 – Updated: 2024-09-26 16:22
    VLAI
    Title
    Grafana Alloy on Windows Unquoted service path
    Summary
    Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM This issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-428 - Unquoted Search Path or Element
    Assigner
    Impacted products
    Vendor Product Version
    Grafana Alloy Affected: 0 , < 1.3.3 (semver)
    Affected: 1.4.0-rc.0 , ≤ 1.4.0-rc.1 (semver)
    Create a notification for this product.
    grafana alloy Affected: 0 , < 1.3.3 (semver)
    Affected: 1.4.0-rc.0 , ≤ 1.4.0-rc.1 (semver)
        cpe:2.3:a:grafana:alloy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Date Public
    2024-09-25 13:40
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:grafana:alloy:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "alloy",
                "vendor": "grafana",
                "versions": [
                  {
                    "lessThan": "1.3.3",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  },
                  {
                    "lessThanOrEqual": "1.4.0-rc.1",
                    "status": "affected",
                    "version": "1.4.0-rc.0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8975",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T17:41:05.326706Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-25T17:43:08.082Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "Alloy",
              "vendor": "Grafana",
              "versions": [
                {
                  "lessThan": "1.3.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "lessThanOrEqual": "1.4.0-rc.1",
                  "status": "affected",
                  "version": "1.4.0-rc.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "datePublic": "2024-09-25T13:40:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM\u003cbr\u003e\u003cp\u003eThis issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1.\u003cbr\u003e\u003c/p\u003e"
                }
              ],
              "value": "Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM\nThis issue affects Alloy: before 1.3.3, from 1.4.0-rc.0 through 1.4.0-rc.1."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-233",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-233 Privilege Escalation"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-428",
                  "description": "CWE-428 Unquoted Search Path or Element",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-26T16:22:26.037Z",
            "orgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
            "shortName": "GRAFANA"
          },
          "references": [
            {
              "url": "https://grafana.com/security/security-advisories/cve-2024-8975/"
            },
            {
              "url": "https://grafana.com/blog/2024/09/25/grafana-alloy-and-grafana-agent-flow-security-release-high-severity-fix-for-cve-2024-8975-and-cve-2024-8996/"
            },
            {
              "url": "https://github.com/grafana/alloy/releases/tag/v1.4.1"
            },
            {
              "url": "https://github.com/grafana/alloy/releases/tag/v1.3.4"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Uninstall Alloy, and then perform a clean install with version either 1.3.4 or 1.4.1 or a higher version\u003cbr\u003e"
                }
              ],
              "value": "Uninstall Alloy, and then perform a clean install with version either 1.3.4 or 1.4.1 or a higher version"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Grafana Alloy on Windows Unquoted service path",
          "workarounds": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Edit the registry to manually \u003cspan style=\"background-color: transparent;\"\u003eadd the double quotes manually to `Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Alloy\\ImagePath`\u003c/span\u003e\n\n\u003cbr\u003e"
                }
              ],
              "value": "Edit the registry to manually add the double quotes manually to `Computer\\HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Alloy\\ImagePath`"
            }
          ],
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "57da9224-a3e2-4646-9d0e-c4dc2e05e7da",
        "assignerShortName": "GRAFANA",
        "cveId": "CVE-2024-8975",
        "datePublished": "2024-09-25T16:42:09.998Z",
        "dateReserved": "2024-09-18T14:51:37.565Z",
        "dateUpdated": "2024-09-26T16:22:26.037Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }