Description

The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. This vulnerability was fixed in source-controller v1.2.5. There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.

INFO

Published Date :

2024-05-15T15:52:15.084Z

Last Modified :

2024-08-02T01:46:04.808Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-31216 vulnerability.

Vendors Products
Fluxcd
  • Source-controller
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-31216.

URL Resource
https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9 cve-icon cve-icon
https://github.com/fluxcd/source-controller/pull/1430 cve-icon cve-icon
https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact