logo

Database

Insecure session management In github.com/fluxcd/source-controller

Description

source-controller leaks Azure Storage SAS token into logs

Impact

When source-controller is configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires.

Patches

This vulnerability was fixed in source-controller v1.2.5.

Workarounds

There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.

Credits

This issue was reported and fixed by Jagpreet Singh Tamber (@jagpreetstamber) from the Azure Arc team.

References

https://github.com/fluxcd/source-controller/pull/1430

For more information

If you have any questions or comments about this advisory:

    Open an issue in the source-controller repository.

    Contact us at the CNCF Flux Channel.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-312162. NVD-2024-312163. OSV-2024-312164. GHSA-v554-xwgw-hc3w5. GCVE-2024-31216

References

1. https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w2. https://github.com/fluxcd/source-controller/pull/14303. https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

FLAT-F4RNK – Vulnerability | Fluid Attacks Database