CVE-2024-31216

2024-05-1516:15:10

Google

osv.dev

kubernetes

source-controller

azure blob storage

vulnerability

gitops

azure sas token

access

connection error

fix

7.2 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.1%

JSON

The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. This vulnerability was fixed in source-controller v1.2.5. There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.

CPENameOperatorVersion
source-controllereq0.30.1
source-controllereq0.24.1
source-controllereq0.22.4
source-controllereqapi/v0.25.7
source-controllereqapi/v0.34.0
source-controllereq0.0.1-alpha.1
source-controllereq0.25.5
source-controllereqapi/v0.35.1
source-controllereqapi/v0.0.16
source-controllereq0.0.1-alpha.2

Name	Operator	Version
source-controller	eq	0.30.1
source-controller	eq	0.24.1
source-controller	eq	0.22.4
source-controller	eq	api/v0.25.7
source-controller	eq	api/v0.34.0
source-controller	eq	0.0.1-alpha.1
source-controller	eq	0.25.5
source-controller	eq	api/v0.35.1
source-controller	eq	api/v0.0.16
source-controller	eq	0.0.1-alpha.2