fkie_cve-2024-31216
Vulnerability from fkie_nvd
Published
2024-05-15 16:15
Modified
2024-11-21 09:13
Severity ?
5.1 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. This vulnerability was fixed in source-controller v1.2.5. There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.
References
security-advisories@github.comhttps://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9
security-advisories@github.comhttps://github.com/fluxcd/source-controller/pull/1430
security-advisories@github.comhttps://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w
af854a3a-2127-422b-91ae-364da2661108https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9
af854a3a-2127-422b-91ae-364da2661108https://github.com/fluxcd/source-controller/pull/1430
af854a3a-2127-422b-91ae-364da2661108https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. This vulnerability was fixed in source-controller v1.2.5. There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity."
    },
    {
      "lang": "es",
      "value": "El controlador de fuente es un operador de Kubernetes, especializado en la adquisici\u00f3n de artefactos de fuentes externas como Git, OCI, repositorios Helm y dep\u00f3sitos compatibles con S3. El controlador de fuente implementa la API source.toolkit.fluxcd.io y es un componente central del kit de herramientas GitOps. Antes de la versi\u00f3n 1.2.5, cuando el controlador de origen se configuraba para usar un token SAS de Azure al conectarse a Azure Blob Storage, el token se registraba junto con la direcci\u00f3n URL de Azure cuando el controlador encontraba un error de conexi\u00f3n. Un atacante con acceso a los registros del controlador de origen podr\u00eda usar el token para obtener acceso a Azure Blob Storage hasta que caduque el token. Esta vulnerabilidad se solucion\u00f3 en el controlador de fuente v1.2.5. No existe ninguna soluci\u00f3n para esta vulnerabilidad excepto el uso de un mecanismo de autenticaci\u00f3n diferente, como Azure Workload Identity."
    }
  ],
  "id": "CVE-2024-31216",
  "lastModified": "2024-11-21T09:13:03.663",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.5,
        "impactScore": 2.5,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-05-15T16:15:10.097",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/fluxcd/source-controller/pull/1430"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/fluxcd/source-controller/pull/1430"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-532"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.