CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31216 – source-controller leaks theAzure Storage SAS token into logs on connection errors
https://notcve.org/view.php?id=CVE-2024-31216
15 May 2024 — The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An a... • https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.0EPSS: 0%CPEs: 35EXPL: 0CVE-2022-39272 – Flux2 vulnerable to Denial of Service due to Improper use of metav1.Duration
https://notcve.org/view.php?id=CVE-2022-39272
21 Oct 2022 — Flux is an open and extensible continuous delivery solution for Kubernetes. Versions prior to 0.35.0 are subject to a Denial of Service. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields `.spec.interval` or `.spec.timeout` (and structured variations of these fields), causing the entire object type to stop being processed. This issue is patched in version 0.35.0. As a workaround, Admission controllers can be emp... • https://github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v • CWE-1284: Improper Validation of Specified Quantity in Input •