CVE-2024-31216

source-controller leaks theAzure Storage SAS token into logs on connection errors

Severity Score

5.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. This vulnerability was fixed in source-controller v1.2.5. There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.

El controlador de fuente es un operador de Kubernetes, especializado en la adquisición de artefactos de fuentes externas como Git, OCI, repositorios Helm y depósitos compatibles con S3. El controlador de fuente implementa la API source.toolkit.fluxcd.io y es un componente central del kit de herramientas GitOps. Antes de la versión 1.2.5, cuando el controlador de origen se configuraba para usar un token SAS de Azure al conectarse a Azure Blob Storage, el token se registraba junto con la dirección URL de Azure cuando el controlador encontraba un error de conexión. Un atacante con acceso a los registros del controlador de origen podría usar el token para obtener acceso a Azure Blob Storage hasta que caduque el token. Esta vulnerabilidad se solucionó en el controlador de fuente v1.2.5. No existe ninguna solución para esta vulnerabilidad excepto el uso de un mecanismo de autenticación diferente, como Azure Workload Identity.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-29 CVE Reserved
2024-05-15 CVE Published
2024-05-16 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-532: Insertion of Sensitive Information into Log File

CAPEC

References (3)

URL	Tag	Source
https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9	X_refsource_misc
https://github.com/fluxcd/source-controller/pull/1430	X_refsource_misc
https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Fluxcd Search vendor "Fluxcd"		Source-controller Search vendor "Fluxcd" for product "Source-controller"				< 1.2.5 Search vendor "Fluxcd" for product "Source-controller" and version " < 1.2.5"		en		Affected