CVE-2024-31216

Published: May 15, 2024

Modified: Aug 2, 2024

PUBLISHED

CVSS v3.1

5.1

MEDIUM

Description

The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. This vulnerability was fixed in source-controller v1.2.5. There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.

Vendor	Product	Versions
fluxcd	source-controller	affected `< 1.2.5`

Weaknesses (CWE)

CWE-532

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w

x_refsource_CONFIRM

https://github.com/fluxcd/source-controller/pull/1430

x_refsource_MISC

https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-31216

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References