Vulnerability Details CVE-2024-27294
dp-golang is a Puppet module for Go installations. Prior to 1.2.7, dp-golang could install files — including the compiler binary — with the wrong ownership when Puppet was run as root and the installed package was On macOS: Go version 1.4.3 through 1.21rc3, inclusive, go1.4-bootstrap-20170518.tar.gz, or go1.4-bootstrap-20170531.tar.gz. The user and group specified in Puppet code were ignored for files within the archive. dp-puppet version 1.2.7 will recreate installations if the owner or group of any file or directory within that installation does not match the requested owner or group
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 27.1%
CVSS Severity
CVSS v3 Score 7.3
References
- https://github.com/danielparks/puppet-golang/commit/1d0865b24071cb1c00d2fd8cb755d444e6e8f888
- https://github.com/danielparks/puppet-golang/commit/870724a7fef50208515da7bbfa9dfd5d6950e7f5
- https://github.com/danielparks/puppet-golang/security/advisories/GHSA-8h8m-h98f-vv84
- https://github.com/danielparks/puppet-golang/commit/1d0865b24071cb1c00d2fd8cb755d444e6e8f888
- https://github.com/danielparks/puppet-golang/commit/870724a7fef50208515da7bbfa9dfd5d6950e7f5
- https://github.com/danielparks/puppet-golang/security/advisories/GHSA-8h8m-h98f-vv84
Products affected by CVE-2024-27294
-
cpe:2.3:a:danielparks:dp-golang:-
-
cpe:2.3:a:danielparks:dp-golang:1.0.0
-
cpe:2.3:a:danielparks:dp-golang:1.0.1
-
cpe:2.3:a:danielparks:dp-golang:1.0.2
-
cpe:2.3:a:danielparks:dp-golang:1.0.3
-
cpe:2.3:a:danielparks:dp-golang:1.0.4
-
cpe:2.3:a:danielparks:dp-golang:1.0.5
-
cpe:2.3:a:danielparks:dp-golang:1.0.6
-
cpe:2.3:a:danielparks:dp-golang:1.0.7
-
cpe:2.3:a:danielparks:dp-golang:1.1.0
-
cpe:2.3:a:danielparks:dp-golang:1.2.0
-
cpe:2.3:a:danielparks:dp-golang:1.2.1
-
cpe:2.3:a:danielparks:dp-golang:1.2.2
-
cpe:2.3:a:danielparks:dp-golang:1.2.3
-
cpe:2.3:a:danielparks:dp-golang:1.2.4
-
cpe:2.3:a:danielparks:dp-golang:1.2.5
-
cpe:2.3:a:danielparks:dp-golang:1.2.6