CVE-2024-31216
The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. This vulnerability was fixed in source-controller v1.2.5. There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.
EPSS 0.15% · 35.7th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| fluxcd | source-controller | < 1.2.5 |
| github.com | fluxcd/source-controller | 0 |
Timeline
- Jan 20, 1970 Fix PR Merged
- Jan 21, 1970 Security Advisory
- May 15, 2024 CVE Published
- May 16, 2024 EPSS Score
- Jun 9, 2024 EPSS Score
- Jul 3, 2024 EPSS Score
- Jul 27, 2024 EPSS Score
- Aug 19, 2024 EPSS Score
- Sep 12, 2024 EPSS Score
- Oct 4, 2024 Coalition ESS Score
- Oct 6, 2024 EPSS Score
- Oct 30, 2024 EPSS Score
References
- https://github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w url
- https://github.com/fluxcd/source-controller/pull/1430 url
- https://github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9 url
- https://nvd.nist.gov/vuln/detail/CVE-2024-31216 advisory
- https://github.com/fluxcd/source-controller package