CVE-2024-27294

Published: Feb 29, 2024

Modified: Aug 8, 2024

PUBLISHED

CVSS v3.1

7.3

HIGH

Description

dp-golang is a Puppet module for Go installations. Prior to 1.2.7, dp-golang could install files — including the compiler binary — with the wrong ownership when Puppet was run as root and the installed package was On macOS: Go version 1.4.3 through 1.21rc3, inclusive, go1.4-bootstrap-20170518.tar.gz, or go1.4-bootstrap-20170531.tar.gz. The user and group specified in Puppet code were ignored for files within the archive. dp-puppet version 1.2.7 will recreate installations if the owner or group of any file or directory within that installation does not match the requested owner or group

Vendor	Product	Versions
danielparks	puppet-golang	affected `< 1.2.7`

Weaknesses (CWE)

CWE-732

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

High

References

https://github.com/danielparks/puppet-golang/security/advisories/GHSA-8h8m-h98f-vv84

x_refsource_CONFIRM

https://github.com/danielparks/puppet-golang/commit/1d0865b24071cb1c00d2fd8cb755d444e6e8f888

x_refsource_MISC

https://github.com/danielparks/puppet-golang/commit/870724a7fef50208515da7bbfa9dfd5d6950e7f5

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-27294

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References