CVE-2024-31216Log File Information Exposure in Source-controller

CWE-532Log File Information Exposure4 documents3 sources
Severity
5.1MEDIUMNVD
EPSS
0.2%
top 64.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Fluxcd Source-controllerGithub.com Fluxcd Source-controller
Timeline
PublishedMay 15
Latest updateJun 4

Description

The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 2.5 | Impact: 2.5

Affected Packages2 packages

CVEListV5fluxcd/source-controller< 1.2.5

🔴Vulnerability Details

3
OSV
source-controller leaks Azure Storage SAS token into logs in github.com/fluxcd/source-controller2024-06-04
GHSA
source-controller leaks Azure Storage SAS token into logs2024-05-15
OSV
source-controller leaks Azure Storage SAS token into logs2024-05-15