CVE-2024-52009: Git credentials are exposed in Atlantis logs
(updated )
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
Atlantis logs contains GitHub credentials (tokens ghs_...) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub.
When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization.
This was reported in https://github.com/runatlantis/atlantis/issues/4060 and fixed in https://github.com/runatlantis/atlantis/pull/4667 . The fix was included in Atlantis v0.30.0.
References
- argo-cd.readthedocs.io/en/stable/operator-manual/security
- github.com/advisories/GHSA-gppm-hq3p-h4rp
- github.com/runatlantis/atlantis
- github.com/runatlantis/atlantis/issues/4060
- github.com/runatlantis/atlantis/pull/4667
- github.com/runatlantis/atlantis/releases/tag/v0.30.0
- github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp
- nvd.nist.gov/vuln/detail/CVE-2024-52009
- pkg.go.dev/vuln/GO-2024-3265
Detect and mitigate CVE-2024-52009 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →