THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)

Ok

PUBLISHED

CVE-2024-31216

source-controller leaks theAzure Storage SAS token into logs on connection errors

Reserved:2024-03-29
Published:2024-05-15
Updated:2024-05-15

Description

The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. This vulnerability was fixed in source-controller v1.2.5. There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.



MEDIUM: 5.1CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-532: Insertion of Sensitive Information into Log File

Product status

< 1.2.5
affected

References

https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w

https://github.com/fluxcd/source-controller/pull/1430

https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9

cve.org CVE-2024-31216

nvd.nist.gov CVE-2024-31216

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-31216