A critical security vulnerability has been discovered in the Grafana Plugin SDK for Go, that could lead to the inadvertent leakage of sensitive information, including repository credentials.
The vulnerability tracked as CVE-2024-8986 with a CVSS score of 9.1, triggers when developers include credentials within their repository URIs, which used to enable the fetching of private dependencies. In such cases, the final plugin binary ends up containing the complete URI, including these sensitive credentials.
An attacker who gains access to a plugin built with the affected SDK versions could easily extract these embedded credentials, potentially granting them unauthorized access to private repositories and the sensitive code or data they contain.
All versions of the Grafana Plugin SDK for Go up to and including version 0.249.0 are impacted by this flaw. The Grafana team has promptly addressed the issue by releasing version 0.250.0.
Developers who have built Grafana plugins using the vulnerable SDK versions are strongly urged to upgrade to version 0.250.0 or later immediately. Additionally, it is crucial to review any potentially exposed repository credentials and take appropriate steps to rotate them.
