Search criteria
1 vulnerability by danielparks
CVE-2024-27294 (GCVE-0-2024-27294)
Vulnerability from cvelistv5 – Published: 2024-02-29 22:47 – Updated: 2024-08-08 19:56
VLAI
Title
dp-golang Go installation could be owned by wrong user
Summary
dp-golang is a Puppet module for Go installations. Prior to 1.2.7, dp-golang could install files — including the compiler binary — with the wrong ownership when Puppet was run as root and the installed package was On macOS: Go version 1.4.3 through 1.21rc3, inclusive, go1.4-bootstrap-20170518.tar.gz, or go1.4-bootstrap-20170531.tar.gz. The user and group specified in Puppet code were ignored for files within the archive. dp-puppet version 1.2.7 will recreate installations if the owner or group of any file or directory within that installation does not match the requested owner or group
Severity
7.3 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/danielparks/puppet-golang/secu… | x_refsource_CONFIRM |
| https://github.com/danielparks/puppet-golang/comm… | x_refsource_MISC |
| https://github.com/danielparks/puppet-golang/comm… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| danielparks | puppet-golang |
Affected:
< 1.2.7
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:28:00.333Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/danielparks/puppet-golang/security/advisories/GHSA-8h8m-h98f-vv84",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/danielparks/puppet-golang/security/advisories/GHSA-8h8m-h98f-vv84"
},
{
"name": "https://github.com/danielparks/puppet-golang/commit/1d0865b24071cb1c00d2fd8cb755d444e6e8f888",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/danielparks/puppet-golang/commit/1d0865b24071cb1c00d2fd8cb755d444e6e8f888"
},
{
"name": "https://github.com/danielparks/puppet-golang/commit/870724a7fef50208515da7bbfa9dfd5d6950e7f5",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/danielparks/puppet-golang/commit/870724a7fef50208515da7bbfa9dfd5d6950e7f5"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-27294",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-08T19:47:31.123526Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-08T19:56:17.827Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "puppet-golang",
"vendor": "danielparks",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "dp-golang is a Puppet module for Go installations. Prior to 1.2.7, dp-golang could install files \u2014 including the compiler binary \u2014 with the wrong ownership when Puppet was run as root and the installed package was On macOS: Go version 1.4.3 through 1.21rc3, inclusive, go1.4-bootstrap-20170518.tar.gz, or go1.4-bootstrap-20170531.tar.gz. The user and group specified in Puppet code were ignored for files within the archive. dp-puppet version 1.2.7 will recreate installations if the owner or group of any file or directory within that installation does not match the requested owner or group"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732: Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-29T22:47:05.535Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/danielparks/puppet-golang/security/advisories/GHSA-8h8m-h98f-vv84",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/danielparks/puppet-golang/security/advisories/GHSA-8h8m-h98f-vv84"
},
{
"name": "https://github.com/danielparks/puppet-golang/commit/1d0865b24071cb1c00d2fd8cb755d444e6e8f888",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/danielparks/puppet-golang/commit/1d0865b24071cb1c00d2fd8cb755d444e6e8f888"
},
{
"name": "https://github.com/danielparks/puppet-golang/commit/870724a7fef50208515da7bbfa9dfd5d6950e7f5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/danielparks/puppet-golang/commit/870724a7fef50208515da7bbfa9dfd5d6950e7f5"
}
],
"source": {
"advisory": "GHSA-8h8m-h98f-vv84",
"discovery": "UNKNOWN"
},
"title": "dp-golang Go installation could be owned by wrong user"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-27294",
"datePublished": "2024-02-29T22:47:05.535Z",
"dateReserved": "2024-02-22T18:08:38.874Z",
"dateUpdated": "2024-08-08T19:56:17.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}