GitHub Advisory DatabaseGHSA-V554-XWGW-HC3Wsource-controller leaks Azure Storage SAS token into logs
5.1 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.6%
Impact
When source-controller is configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires.
Patches
This vulnerability was fixed in source-controller v1.2.5.
Workarounds
There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.
Credits
This issue was reported and fixed by Jagpreet Singh Tamber (@jagpreetstamber) from the Azure Arc team.
References
https://github.com/fluxcd/source-controller/pull/1430
For more information
If you have any questions or comments about this advisory:
- Open an issue in the source-controller repository.
- Contact us at the CNCF Flux Channel.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/fluxcd/source-controller | lt | 1.2.5 |
Related
5.1 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.6%