Grafana Alloy unquoted service path
High
| Advisory ID: | CVE-2024-8975 |
| Published: | 2024-09-25 |
| Product: | Grafana Alloy |
| CVSS Score: | 7.3 |
| CVSS Vector: | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
| Fixed Versions: | >=1.3.3 |
Summary
On a windows machine, the Grafana Alloy service prior to 1.3.3 is vulnerable to a privilege escalation from local user to SYSTEM due to an unquoted service path.
It is recommended that you remove the Grafana Alloy installation and do a clean install. An update will not resolve the issue. An alternative would be to add the double quotes manually to
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Alloy\ImagePath