MidnightBSD

Advisories for danielparks

CVE-2024-27294

dp-golang is a Puppet module for Go installations. Prior to 1.2.7, dp-golang could install files — including the compiler binary — with the wrong ownership when Puppet was run as root and the installed package was On macOS: Go version 1.4.3 through 1.21rc3, inclusive, go1.4-bootstrap-20170518.tar.gz, or go1.4-bootstrap-20170531.tar.gz. The user and group specified in Puppet code were ignored for files within the archive. dp-puppet version 1.2.7 will recreate installations if the owner or group of any file or directory within that installation does not match the requested owner or group

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security-advisories@github.com 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H 1.8 5.5

Products Affected

Vendor Product Version
danielparks dp-golang *