Description

Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

INFO

Published Date :

2024-11-08T22:24:15.300Z

Last Modified :

2024-11-12T19:19:58.293Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-52009 vulnerability.

Vendors Products
Runatlantis
  • Atlantis
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-52009.

URL Resource
https://argo-cd.readthedocs.io/en/stable/operator-manual/security cve-icon cve-icon
https://github.com/runatlantis/atlantis/issues/4060 cve-icon cve-icon
https://github.com/runatlantis/atlantis/pull/4667 cve-icon cve-icon
https://github.com/runatlantis/atlantis/releases/tag/v0.30.0 cve-icon cve-icon
https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact