Vulnerability Description
dp-golang is a Puppet module for Go installations. Prior to 1.2.7, dp-golang could install files — including the compiler binary — with the wrong ownership when Puppet was run as root and the installed package was On macOS: Go version 1.4.3 through 1.21rc3, inclusive, go1.4-bootstrap-20170518.tar.gz, or go1.4-bootstrap-20170531.tar.gz. The user and group specified in Puppet code were ignored for files within the archive. dp-puppet version 1.2.7 will recreate installations if the owner or group of any file or directory within that installation does not match the requested owner or group
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Danielparks | Dp-Golang | < 1.2.7 |
Related Weaknesses (CWE)
References
- https://github.com/danielparks/puppet-golang/commit/1d0865b24071cb1c00d2fd8cb755Patch
- https://github.com/danielparks/puppet-golang/commit/870724a7fef50208515da7bbfa9dPatch
- https://github.com/danielparks/puppet-golang/security/advisories/GHSA-8h8m-h98f-Vendor Advisory
- https://github.com/danielparks/puppet-golang/commit/1d0865b24071cb1c00d2fd8cb755Patch
- https://github.com/danielparks/puppet-golang/commit/870724a7fef50208515da7bbfa9dPatch
- https://github.com/danielparks/puppet-golang/security/advisories/GHSA-8h8m-h98f-Vendor Advisory
FAQ
What is CVE-2024-27294?
CVE-2024-27294 is a vulnerability with a CVSS score of 7.3 (HIGH). dp-golang is a Puppet module for Go installations. Prior to 1.2.7, dp-golang could install files — including the compiler binary — with the wrong ownership when Puppet was run as root and the install...
How severe is CVE-2024-27294?
CVE-2024-27294 has been rated HIGH with a CVSS base score of 7.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-27294?
Check the references section above for vendor advisories and patch information. Affected products include: Danielparks Dp-Golang.