Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS12NTU0LXh3Z3ctaGMzd84AA8GA

source-controller leaks Azure Storage SAS token into logs

Impact

When source-controller is configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires.

Patches

This vulnerability was fixed in source-controller v1.2.5.

Workarounds

There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.

Credits

This issue was reported and fixed by Jagpreet Singh Tamber (@jagpreetstamber) from the Azure Arc team.

References

https://github.com/fluxcd/source-controller/pull/1430

For more information

If you have any questions or comments about this advisory:

• Open an issue in the source-controller repository.
• Contact us at the CNCF Flux Channel.

Permalink: https://github.com/advisories/GHSA-v554-xwgw-hc3w
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12NTU0LXh3Z3ctaGMzd84AA8GA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 7 months ago
Updated: 7 months ago

CVSS Score: 5.1
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Identifiers: GHSA-v554-xwgw-hc3w, CVE-2024-31216
References:

• https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w
• https://github.com/fluxcd/source-controller/pull/1430
• https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9
• https://nvd.nist.gov/vuln/detail/CVE-2024-31216
• https://github.com/advisories/GHSA-v554-xwgw-hc3w

Repository: https://github.com/fluxcd/source-controller
Blast Radius: 8.2

Affected Packages