GHSA-chqx-36rm-rf8h

Suggest an improvement
Source
https://github.com/advisories/GHSA-chqx-36rm-rf8h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-chqx-36rm-rf8h/GHSA-chqx-36rm-rf8h.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-chqx-36rm-rf8h
Aliases
Published
2024-09-25T18:31:21Z
Modified
2025-05-21T09:42:16.703224Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
  • 4.0 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Grafana Alloy on Windows has Unquoted Search Path or Element vulnerability
Details

Unquoted Search Path or Element vulnerability in Grafana Alloy on Windows allows Privilege Escalation from Local User to SYSTEM. This issue affects Alloy: before 1.3.4, from 1.4.0-rc.0 and prior to 1.4.1.

Database specific 
{
    "cwe_ids": [
        "CWE-428"
    ],
    "github_reviewed": true,
    "nvd_published_at": "2024-09-25T17:15:19Z",
    "github_reviewed_at": "2024-10-01T22:28:59Z",
    "severity": "MODERATE"
}
References

Affected packages

Go / github.com/grafana/alloy

Package

Name
github.com/grafana/alloy
View open source insights on deps.dev
Purl
pkg:golang/github.com/grafana/alloy

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.4

Go / github.com/grafana/alloy

Package

Name
github.com/grafana/alloy
View open source insights on deps.dev
Purl
pkg:golang/github.com/grafana/alloy

Affected ranges

Type
SEMVER
Events
Introduced
1.4.0-rc.0
Fixed
1.4.1