CVE-2024-31216: source-controller leaks Azure Storage SAS token into logs
When source-controller is configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires.
References
- github.com/advisories/GHSA-v554-xwgw-hc3w
- github.com/fluxcd/source-controller
- github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9
- github.com/fluxcd/source-controller/pull/1430
- github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w
- nvd.nist.gov/vuln/detail/CVE-2024-31216
Detect and mitigate CVE-2024-31216 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →