CVE-2024-31216 (GCVE-0-2024-31216)
Vulnerability from cvelistv5 – Published: 2024-05-15 15:52 – Updated: 2024-08-02 01:46
VLAI?
Summary
The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. This vulnerability was fixed in source-controller v1.2.5. There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.
Severity ?
5.1 (Medium)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| fluxcd | source-controller |
Affected:
< 1.2.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31216",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-16T17:32:05.849081Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-24T18:16:00.378Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:46:04.808Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w"
},
{
"name": "https://github.com/fluxcd/source-controller/pull/1430",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fluxcd/source-controller/pull/1430"
},
{
"name": "https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "source-controller",
"vendor": "fluxcd",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. This vulnerability was fixed in source-controller v1.2.5. There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-05-15T15:52:15.084Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w"
},
{
"name": "https://github.com/fluxcd/source-controller/pull/1430",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluxcd/source-controller/pull/1430"
},
{
"name": "https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9"
}
],
"source": {
"advisory": "GHSA-v554-xwgw-hc3w",
"discovery": "UNKNOWN"
},
"title": "source-controller leaks theAzure Storage SAS token into logs on connection errors"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31216",
"datePublished": "2024-05-15T15:52:15.084Z",
"dateReserved": "2024-03-29T14:16:31.901Z",
"dateUpdated": "2024-08-02T01:46:04.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"descriptions": "[{\"lang\": \"en\", \"value\": \"The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. This vulnerability was fixed in source-controller v1.2.5. There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.\"}, {\"lang\": \"es\", \"value\": \"El controlador de fuente es un operador de Kubernetes, especializado en la adquisici\\u00f3n de artefactos de fuentes externas como Git, OCI, repositorios Helm y dep\\u00f3sitos compatibles con S3. El controlador de fuente implementa la API source.toolkit.fluxcd.io y es un componente central del kit de herramientas GitOps. Antes de la versi\\u00f3n 1.2.5, cuando el controlador de origen se configuraba para usar un token SAS de Azure al conectarse a Azure Blob Storage, el token se registraba junto con la direcci\\u00f3n URL de Azure cuando el controlador encontraba un error de conexi\\u00f3n. Un atacante con acceso a los registros del controlador de origen podr\\u00eda usar el token para obtener acceso a Azure Blob Storage hasta que caduque el token. Esta vulnerabilidad se solucion\\u00f3 en el controlador de fuente v1.2.5. No existe ninguna soluci\\u00f3n para esta vulnerabilidad excepto el uso de un mecanismo de autenticaci\\u00f3n diferente, como Azure Workload Identity.\"}]",
"id": "CVE-2024-31216",
"lastModified": "2024-11-21T09:13:03.663",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"baseScore\": 5.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.5, \"impactScore\": 2.5}]}",
"published": "2024-05-15T16:15:10.097",
"references": "[{\"url\": \"https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/fluxcd/source-controller/pull/1430\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/fluxcd/source-controller/pull/1430\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-532\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-31216\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-05-15T16:15:10.097\",\"lastModified\":\"2024-11-21T09:13:03.663\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. This vulnerability was fixed in source-controller v1.2.5. There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.\"},{\"lang\":\"es\",\"value\":\"El controlador de fuente es un operador de Kubernetes, especializado en la adquisici\u00f3n de artefactos de fuentes externas como Git, OCI, repositorios Helm y dep\u00f3sitos compatibles con S3. El controlador de fuente implementa la API source.toolkit.fluxcd.io y es un componente central del kit de herramientas GitOps. Antes de la versi\u00f3n 1.2.5, cuando el controlador de origen se configuraba para usar un token SAS de Azure al conectarse a Azure Blob Storage, el token se registraba junto con la direcci\u00f3n URL de Azure cuando el controlador encontraba un error de conexi\u00f3n. Un atacante con acceso a los registros del controlador de origen podr\u00eda usar el token para obtener acceso a Azure Blob Storage hasta que caduque el token. Esta vulnerabilidad se solucion\u00f3 en el controlador de fuente v1.2.5. No existe ninguna soluci\u00f3n para esta vulnerabilidad excepto el uso de un mecanismo de autenticaci\u00f3n diferente, como Azure Workload Identity.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":5.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.5,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-532\"}]}],\"references\":[{\"url\":\"https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fluxcd/source-controller/pull/1430\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/fluxcd/source-controller/pull/1430\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-31216\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-16T17:32:05.849081Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-16T17:31:40.521Z\"}}], \"cna\": {\"title\": \"source-controller leaks theAzure Storage SAS token into logs on connection errors\", \"source\": {\"advisory\": \"GHSA-v554-xwgw-hc3w\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"fluxcd\", \"product\": \"source-controller\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 1.2.5\"}]}], \"references\": [{\"url\": \"https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w\", \"name\": \"https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/fluxcd/source-controller/pull/1430\", \"name\": \"https://github.com/fluxcd/source-controller/pull/1430\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9\", \"name\": \"https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. This vulnerability was fixed in source-controller v1.2.5. There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-532\", \"description\": \"CWE-532: Insertion of Sensitive Information into Log File\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-05-15T15:52:15.084Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-31216\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-07-24T18:16:00.378Z\", \"dateReserved\": \"2024-03-29T14:16:31.901Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-05-15T15:52:15.084Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…