GHSA-v554-xwgw-hc3w: source-controller leaks Azure Storage SAS token into logs

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2024-31216

source-controller leaks Azure Storage SAS token into logs

Moderate severity GitHub Reviewed Published May 15, 2024 in fluxcd/source-controller • Updated May 15, 2024

Package

gomod github.com/fluxcd/source-controller (Go)

Affected versions

< 1.2.5

Impact

When source-controller is configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires.

Patches

This vulnerability was fixed in source-controller v1.2.5.

Workarounds

There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.

Credits

This issue was reported and fixed by Jagpreet Singh Tamber (@jagpreetstamber) from the Azure Arc team.

References

fluxcd/source-controller#1430

For more information

If you have any questions or comments about this advisory:

• Open an issue in the source-controller repository.
• Contact us at the CNCF Flux Channel.

References

• GHSA-v554-xwgw-hc3w
• fluxcd/source-controller#1430
• fluxcd/source-controller@915d1a0

Published to the GitHub Advisory Database

May 15, 2024

Last updated

May 15, 2024