ghsa-gppm-hq3p-h4rp
Vulnerability from github
Published
2024-11-08 19:03
Modified
2024-11-20 19:32
Severity ?
8.5 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
Summary
Git credentials are exposed in Atlantis logs
Details

Summary

Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

Atlantis logs contains GitHub credentials (tokens ghs_...) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub.

When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization.

This was reported in https://github.com/runatlantis/atlantis/issues/4060 and fixed in https://github.com/runatlantis/atlantis/pull/4667 . The fix was included in Atlantis v0.30.0.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

While auditing the Kubernetes/Argo CD/Atlantis deployment of some company, the following set-up was encountered:

  • Most employees have read-only access to Argo CD, enabling them to see the health of deployed applications.
  • Atlantis was deployed as an Argo CD application.
  • Atlantis was used to manage the configuration of a GitHub organization (such as team members), using Terraform's GitHub integration.

Atlantis logs on Argo CD contained lines such as:

json {"level":"debug","ts":"2024-11-07T17:58:30.636Z","caller":"vcs/gh_app_creds_rotator.go:58","msg":"Refreshing git tokens for Github App","json":{}} {"level":"debug","ts":"2024-11-07T17:58:30.637Z","caller":"vcs/gh_app_creds_rotator.go:64","msg":"token ghs_[REDACTED]","json":{}} {"level":"debug","ts":"2024-11-07T17:58:30.637Z","caller":"vcs/git_cred_writer.go:36","msg":"git credentials file has expected contents, not modifying","json":{}}

This enabled employees with read-only access to Argo CD to get administration privileges on the GitHub organization, compromising all repositories. As some repositories were used for Infrastructure-as-Code deployment (with Atlantis), this enabled the security auditors to get cluster admin privileges on most Kubernetes clusters.

While the set-up "most employees have read-only access to Argo CD" can be seen as dangerous, this should not incur such security risk (cf. https://argo-cd.readthedocs.io/en/stable/operator-manual/security/). The main issue here was that the logs contained privileged GitHub tokens as they were obtained by Atlantis.

This issue was already reported (https://github.com/runatlantis/atlantis/issues/4060) and fixed (https://github.com/runatlantis/atlantis/pull/4667) but no security advisory was published on https://github.com/runatlantis/atlantis/security and no CVE was assigned (https://app.opencve.io/cve/?&vendor=runatlantis&product=atlantis only lists CVE-2022-24912, which is unrelated).

Could you please publish a security advisory?

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

cf. https://github.com/runatlantis/atlantis/issues/4060 for more details.

Impact

What kind of vulnerability is it? Who is impacted?

  • This leaks sensitive GitHub tokens in the log files (CWE-532: Insertion of Sensitive Information into Log File).
  • This could enable anyone with log read access to compromiseGitHub organizations managed by Atlantis.
  • This impact at least users using Atlantis with Github application and integration.
Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/runatlantis/atlantis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.30.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-08T19:03:35Z",
    "nvd_published_at": "2024-11-08T23:15:05Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n_Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._\n\nAtlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub.\n\nWhen Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization.\n\nThis was reported in https://github.com/runatlantis/atlantis/issues/4060 and fixed in https://github.com/runatlantis/atlantis/pull/4667 . The fix was included in [Atlantis v0.30.0](https://github.com/runatlantis/atlantis/releases/tag/v0.30.0).\n\n### Details\n_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\n\nWhile auditing the Kubernetes/Argo CD/Atlantis deployment of some company, the following set-up was encountered:\n\n- Most employees have read-only access to Argo CD, enabling them to see the health of deployed applications.\n- Atlantis was deployed as an Argo CD application.\n- Atlantis was used to manage the configuration of a GitHub organization (such as team members), using [Terraform\u0027s GitHub integration](https://registry.terraform.io/providers/integrations/github/latest).\n\nAtlantis logs on Argo CD contained lines such as:\n\n```json\n{\"level\":\"debug\",\"ts\":\"2024-11-07T17:58:30.636Z\",\"caller\":\"vcs/gh_app_creds_rotator.go:58\",\"msg\":\"Refreshing git tokens for Github App\",\"json\":{}}\n{\"level\":\"debug\",\"ts\":\"2024-11-07T17:58:30.637Z\",\"caller\":\"vcs/gh_app_creds_rotator.go:64\",\"msg\":\"token ghs_[REDACTED]\",\"json\":{}}\n{\"level\":\"debug\",\"ts\":\"2024-11-07T17:58:30.637Z\",\"caller\":\"vcs/git_cred_writer.go:36\",\"msg\":\"git credentials file has expected contents, not modifying\",\"json\":{}}\n```\n\nThis enabled employees with read-only access to Argo CD to get administration privileges on the GitHub organization, compromising all repositories. As some repositories were used for Infrastructure-as-Code deployment (with Atlantis), this enabled the security auditors to get cluster admin privileges on most Kubernetes clusters.\n\nWhile the set-up \"most employees have read-only access to Argo CD\" can be seen as dangerous, this should not incur such security risk (cf. https://argo-cd.readthedocs.io/en/stable/operator-manual/security/). The main issue here was that the logs contained privileged GitHub tokens as they were obtained by Atlantis.\n\nThis issue was already reported  (https://github.com/runatlantis/atlantis/issues/4060) and fixed (https://github.com/runatlantis/atlantis/pull/4667) but no security advisory was published on https://github.com/runatlantis/atlantis/security and no CVE was assigned (https://app.opencve.io/cve/?\u0026vendor=runatlantis\u0026product=atlantis only lists [CVE-2022-24912](https://nvd.nist.gov/vuln/detail/CVE-2022-24912), which is unrelated).\n\nCould you please publish a security advisory?\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._\n\ncf. https://github.com/runatlantis/atlantis/issues/4060 for more details.\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\n- This leaks sensitive GitHub tokens in the log files (CWE-532: Insertion of Sensitive Information into Log File).\n- This could enable anyone with log read access to compromiseGitHub organizations managed by Atlantis.\n- This impact at least users using Atlantis with Github application and integration.",
  "id": "GHSA-gppm-hq3p-h4rp",
  "modified": "2024-11-20T19:32:50Z",
  "published": "2024-11-08T19:03:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52009"
    },
    {
      "type": "WEB",
      "url": "https://github.com/runatlantis/atlantis/issues/4060"
    },
    {
      "type": "WEB",
      "url": "https://github.com/runatlantis/atlantis/pull/4667"
    },
    {
      "type": "WEB",
      "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/security"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/runatlantis/atlantis"
    },
    {
      "type": "WEB",
      "url": "https://github.com/runatlantis/atlantis/releases/tag/v0.30.0"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3265"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Git credentials are exposed in Atlantis logs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.