What is the severity of CVE-2024-27294?

The severity of CVE-2024-27294 is considered moderate due to potential misconfigurations that can lead to unauthorized access to files.

How do I fix CVE-2024-27294?

To fix CVE-2024-27294, upgrade dp-golang to version 1.2.7 or later to ensure correct file ownership during installations.

Which versions are affected by CVE-2024-27294?

CVE-2024-27294 affects dp-golang versions prior to 1.2.7 and Go versions from 1.4.3 to 1.21rc3.

What types of systems are impacted by CVE-2024-27294?

CVE-2024-27294 primarily impacts systems running Puppet with the dp-golang module, especially in Go installations on macOS.

Is there a workaround for CVE-2024-27294?

While upgrading is recommended, an immediate workaround may involve manually correcting file ownership after installation.

Vulnerability/
CVE-2024-27294

high

7.8

CWE

732

EPSS

0.045%

29/2/2024

4/3/2025

CVE-2024-27294: dp-golang Go installation could be owned by wrong user

First published: Thu Feb 29 2024(Updated: )

dp-golang is a Puppet module for Go installations. Prior to 1.2.7, dp-golang could install files — including the compiler binary — with the wrong ownership when Puppet was run as root and the installed package was On macOS: Go version 1.4.3 through 1.21rc3, inclusive, go1.4-bootstrap-20170518.tar.gz, or go1.4-bootstrap-20170531.tar.gz. The user and group specified in Puppet code were ignored for files within the archive. dp-puppet version 1.2.7 will recreate installations if the owner or group of any file or directory within that installation does not match the requested owner or group

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
dp-golang	<1.2.7
Go Go	>=1.4.3<=1.21rc3
Go Go
	<1.2.7

Remedy

https://github.com/danielparks/puppet-golang/commit/1d0865b24071cb1c00d2fd8cb755d444e6e8f888

Remedy

https://github.com/danielparks/puppet-golang/commit/870724a7fef50208515da7bbfa9dfd5d6950e7f5

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2024-27294?
The severity of CVE-2024-27294 is considered moderate due to potential misconfigurations that can lead to unauthorized access to files.
How do I fix CVE-2024-27294?
To fix CVE-2024-27294, upgrade dp-golang to version 1.2.7 or later to ensure correct file ownership during installations.
Which versions are affected by CVE-2024-27294?
CVE-2024-27294 affects dp-golang versions prior to 1.2.7 and Go versions from 1.4.3 to 1.21rc3.
What types of systems are impacted by CVE-2024-27294?
CVE-2024-27294 primarily impacts systems running Puppet with the dp-golang module, especially in Go installations on macOS.
Is there a workaround for CVE-2024-27294?
While upgrading is recommended, an immediate workaround may involve manually correcting file ownership after installation.

agent/references
agent/weakness
agent/title
agent/type
agent/first-publish-date
agent/description
agent/author
agent/event
collector/epss-latest
source/FIRST
agent/epss
collector/mitre-cve
source/MITRE
agent/source
agent/remedy
agent/last-modified-date
agent/severity
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/tags
agent/softwarecombine
collector/nvd-api
source/NVD
vendor/dp-golang
canonical/dp-golang
vendor/go
canonical/go go
vendor/danielparks

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.