Lucene search

Veracode Vulnerability DatabaseVERACODE:46947

HistoryMay 16, 2024 - 6:21 a.m.

Token Disclosure

2024-05-1606:21:35

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

token disclosure

logs

credential masking

error statements

azure blob storage

azure sas token

azure url

vulnerable

software

CVSS3

5.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

6.4

Confidence

High

EPSS

Percentile

15.5%

JSON

github.com/fluxcd/source-controller is vulnerable to Token Disclosure though logs. The vulnerability is due to improper credential masking in error statements when the source-controller encounters an error when connecting to Azure Blob Storage, resulting in the Azure SAS token being logged along with the Azure URL.

References

github.com/fluxcd/source-controller/commit/915d1a072a4f37dd460ba33079dc094aa6e72fa9

github.com/fluxcd/source-controller/pull/1430

github.com/fluxcd/source-controller/security/advisories/GHSA-v554-xwgw-hc3w

CVSS3

5.1

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

AI Score

6.4

Confidence

High

EPSS

Percentile

15.5%

JSON

Related for VERACODE:46947