cvelistv5 - cve-2024-52009

CVE-2024-52009 (GCVE-0-2024-52009)

Vulnerability from cvelistv5

Published

2024-11-08 22:24

Modified

2024-11-12 19:19

Severity ?

8.5 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

CWE

CWE-532 - Insertion of Sensitive Information into Log File

Summary

Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

References

URL

Tags

security-advisories@github.com	https://argo-cd.readthedocs.io/en/stable/operator-manual/security	Technical Description
security-advisories@github.com	https://github.com/runatlantis/atlantis/issues/4060	Issue Tracking
security-advisories@github.com	https://github.com/runatlantis/atlantis/pull/4667	Issue Tracking
security-advisories@github.com	https://github.com/runatlantis/atlantis/releases/tag/v0.30.0	Release Notes
security-advisories@github.com	https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp	Vendor Advisory, Exploit

Impacted products

	Vendor	Product	Version
	runatlantis	atlantis	Version: < 0.30.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-52009",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-12T19:19:05.416739Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-12T19:19:58.293Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "atlantis",
          "vendor": "runatlantis",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.30.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-08T22:24:15.300Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp"
        },
        {
          "name": "https://github.com/runatlantis/atlantis/issues/4060",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/runatlantis/atlantis/issues/4060"
        },
        {
          "name": "https://github.com/runatlantis/atlantis/pull/4667",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/runatlantis/atlantis/pull/4667"
        },
        {
          "name": "https://argo-cd.readthedocs.io/en/stable/operator-manual/security",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/security"
        },
        {
          "name": "https://github.com/runatlantis/atlantis/releases/tag/v0.30.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/runatlantis/atlantis/releases/tag/v0.30.0"
        }
      ],
      "source": {
        "advisory": "GHSA-gppm-hq3p-h4rp",
        "discovery": "UNKNOWN"
      },
      "title": "Git credentials are exposed in atlantis logs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-52009",
    "datePublished": "2024-11-08T22:24:15.300Z",
    "dateReserved": "2024-11-04T17:46:16.779Z",
    "dateUpdated": "2024-11-12T19:19:58.293Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-52009\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-08T23:15:05.030\",\"lastModified\":\"2025-09-29T15:06:51.653\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Atlantis es una aplicaci\u00f3n Golang autoalojada que escucha los eventos de solicitud de extracci\u00f3n de Terraform a trav\u00e9s de webhooks. Los registros de Atlantis contienen credenciales de GitHub (tokens `ghs_...`) cuando se rotan. Esto permite que un atacante pueda leer estos registros para hacerse pasar por la aplicaci\u00f3n Atlantis y realizar acciones en GitHub. Cuando se utiliza Atlantis para administrar una organizaci\u00f3n de GitHub, esto permite obtener privilegios de administraci\u00f3n en la organizaci\u00f3n. Esto se inform\u00f3 en #4060 y se corrigi\u00f3 en #4667. La correcci\u00f3n se incluy\u00f3 en Atlantis v0.30.0. Se recomienda a todos los usuarios que actualicen. No existen workarounds para esta vulnerabilidad.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-532\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:runatlantis:atlantis:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.30.0\",\"matchCriteriaId\":\"73AD0BFE-124A-4CC1-A4F6-D3AB65E4CA97\"}]}]}],\"references\":[{\"url\":\"https://argo-cd.readthedocs.io/en/stable/operator-manual/security\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://github.com/runatlantis/atlantis/issues/4060\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/runatlantis/atlantis/pull/4667\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/runatlantis/atlantis/releases/tag/v0.30.0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\",\"Exploit\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-52009\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-12T19:19:05.416739Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-12T19:19:53.335Z\"}}], \"cna\": {\"title\": \"Git credentials are exposed in atlantis logs\", \"source\": {\"advisory\": \"GHSA-gppm-hq3p-h4rp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 8.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"runatlantis\", \"product\": \"atlantis\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.30.0\"}]}], \"references\": [{\"url\": \"https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp\", \"name\": \"https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/runatlantis/atlantis/issues/4060\", \"name\": \"https://github.com/runatlantis/atlantis/issues/4060\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/runatlantis/atlantis/pull/4667\", \"name\": \"https://github.com/runatlantis/atlantis/pull/4667\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://argo-cd.readthedocs.io/en/stable/operator-manual/security\", \"name\": \"https://argo-cd.readthedocs.io/en/stable/operator-manual/security\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/runatlantis/atlantis/releases/tag/v0.30.0\", \"name\": \"https://github.com/runatlantis/atlantis/releases/tag/v0.30.0\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-532\", \"description\": \"CWE-532: Insertion of Sensitive Information into Log File\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-08T22:24:15.300Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-52009\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-12T19:19:58.293Z\", \"dateReserved\": \"2024-11-04T17:46:16.779Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-08T22:24:15.300Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-gppm-hq3p-h4rp

Vulnerability from github

Published

2024-11-08 19:03

Modified

2024-11-20 19:32

Severity ?

8.5 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H

Summary

Git credentials are exposed in Atlantis logs

Details

Summary

Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

Atlantis logs contains GitHub credentials (tokens ghs_...) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub.

When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization.

This was reported in https://github.com/runatlantis/atlantis/issues/4060 and fixed in https://github.com/runatlantis/atlantis/pull/4667 . The fix was included in Atlantis v0.30.0.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

While auditing the Kubernetes/Argo CD/Atlantis deployment of some company, the following set-up was encountered:

Most employees have read-only access to Argo CD, enabling them to see the health of deployed applications.
Atlantis was deployed as an Argo CD application.
Atlantis was used to manage the configuration of a GitHub organization (such as team members), using Terraform's GitHub integration.

Atlantis logs on Argo CD contained lines such as:

json {"level":"debug","ts":"2024-11-07T17:58:30.636Z","caller":"vcs/gh_app_creds_rotator.go:58","msg":"Refreshing git tokens for Github App","json":{}} {"level":"debug","ts":"2024-11-07T17:58:30.637Z","caller":"vcs/gh_app_creds_rotator.go:64","msg":"token ghs_[REDACTED]","json":{}} {"level":"debug","ts":"2024-11-07T17:58:30.637Z","caller":"vcs/git_cred_writer.go:36","msg":"git credentials file has expected contents, not modifying","json":{}}

This enabled employees with read-only access to Argo CD to get administration privileges on the GitHub organization, compromising all repositories. As some repositories were used for Infrastructure-as-Code deployment (with Atlantis), this enabled the security auditors to get cluster admin privileges on most Kubernetes clusters.

While the set-up "most employees have read-only access to Argo CD" can be seen as dangerous, this should not incur such security risk (cf. https://argo-cd.readthedocs.io/en/stable/operator-manual/security/). The main issue here was that the logs contained privileged GitHub tokens as they were obtained by Atlantis.

This issue was already reported (https://github.com/runatlantis/atlantis/issues/4060) and fixed (https://github.com/runatlantis/atlantis/pull/4667) but no security advisory was published on https://github.com/runatlantis/atlantis/security and no CVE was assigned (https://app.opencve.io/cve/?&vendor=runatlantis&product=atlantis only lists CVE-2022-24912, which is unrelated).

Could you please publish a security advisory?

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

cf. https://github.com/runatlantis/atlantis/issues/4060 for more details.

Impact

What kind of vulnerability is it? Who is impacted?

This leaks sensitive GitHub tokens in the log files (CWE-532: Insertion of Sensitive Information into Log File).
This could enable anyone with log read access to compromiseGitHub organizations managed by Atlantis.
This impact at least users using Atlantis with Github application and integration.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/runatlantis/atlantis"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.30.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-52009"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-08T19:03:35Z",
    "nvd_published_at": "2024-11-08T23:15:05Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n_Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._\n\nAtlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub.\n\nWhen Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization.\n\nThis was reported in https://github.com/runatlantis/atlantis/issues/4060 and fixed in https://github.com/runatlantis/atlantis/pull/4667 . The fix was included in [Atlantis v0.30.0](https://github.com/runatlantis/atlantis/releases/tag/v0.30.0).\n\n### Details\n_Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._\n\nWhile auditing the Kubernetes/Argo CD/Atlantis deployment of some company, the following set-up was encountered:\n\n- Most employees have read-only access to Argo CD, enabling them to see the health of deployed applications.\n- Atlantis was deployed as an Argo CD application.\n- Atlantis was used to manage the configuration of a GitHub organization (such as team members), using [Terraform\u0027s GitHub integration](https://registry.terraform.io/providers/integrations/github/latest).\n\nAtlantis logs on Argo CD contained lines such as:\n\n```json\n{\"level\":\"debug\",\"ts\":\"2024-11-07T17:58:30.636Z\",\"caller\":\"vcs/gh_app_creds_rotator.go:58\",\"msg\":\"Refreshing git tokens for Github App\",\"json\":{}}\n{\"level\":\"debug\",\"ts\":\"2024-11-07T17:58:30.637Z\",\"caller\":\"vcs/gh_app_creds_rotator.go:64\",\"msg\":\"token ghs_[REDACTED]\",\"json\":{}}\n{\"level\":\"debug\",\"ts\":\"2024-11-07T17:58:30.637Z\",\"caller\":\"vcs/git_cred_writer.go:36\",\"msg\":\"git credentials file has expected contents, not modifying\",\"json\":{}}\n```\n\nThis enabled employees with read-only access to Argo CD to get administration privileges on the GitHub organization, compromising all repositories. As some repositories were used for Infrastructure-as-Code deployment (with Atlantis), this enabled the security auditors to get cluster admin privileges on most Kubernetes clusters.\n\nWhile the set-up \"most employees have read-only access to Argo CD\" can be seen as dangerous, this should not incur such security risk (cf. https://argo-cd.readthedocs.io/en/stable/operator-manual/security/). The main issue here was that the logs contained privileged GitHub tokens as they were obtained by Atlantis.\n\nThis issue was already reported  (https://github.com/runatlantis/atlantis/issues/4060) and fixed (https://github.com/runatlantis/atlantis/pull/4667) but no security advisory was published on https://github.com/runatlantis/atlantis/security and no CVE was assigned (https://app.opencve.io/cve/?\u0026vendor=runatlantis\u0026product=atlantis only lists [CVE-2022-24912](https://nvd.nist.gov/vuln/detail/CVE-2022-24912), which is unrelated).\n\nCould you please publish a security advisory?\n\n### PoC\n_Complete instructions, including specific configuration details, to reproduce the vulnerability._\n\ncf. https://github.com/runatlantis/atlantis/issues/4060 for more details.\n\n### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\n- This leaks sensitive GitHub tokens in the log files (CWE-532: Insertion of Sensitive Information into Log File).\n- This could enable anyone with log read access to compromiseGitHub organizations managed by Atlantis.\n- This impact at least users using Atlantis with Github application and integration.",
  "id": "GHSA-gppm-hq3p-h4rp",
  "modified": "2024-11-20T19:32:50Z",
  "published": "2024-11-08T19:03:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52009"
    },
    {
      "type": "WEB",
      "url": "https://github.com/runatlantis/atlantis/issues/4060"
    },
    {
      "type": "WEB",
      "url": "https://github.com/runatlantis/atlantis/pull/4667"
    },
    {
      "type": "WEB",
      "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/security"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/runatlantis/atlantis"
    },
    {
      "type": "WEB",
      "url": "https://github.com/runatlantis/atlantis/releases/tag/v0.30.0"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2024-3265"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Git credentials are exposed in Atlantis logs"
}

opensuse-su-2024:14515-1

Vulnerability from csaf_opensuse

Published

2024-11-21 00:00

Modified

2024-11-21 00:00

Summary

govulncheck-vulndb-0.0.20241120T172248-1.1 on GA media

Notes

Title of the patch

govulncheck-vulndb-0.0.20241120T172248-1.1 on GA media

Description of the patch

These are all security issues fixed in the govulncheck-vulndb-0.0.20241120T172248-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-14515

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "govulncheck-vulndb-0.0.20241120T172248-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the govulncheck-vulndb-0.0.20241120T172248-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-14515",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14515-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2024:14515-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BI4XZMV5AQFS43FLZUOJWAX25WXPY5F4/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2024:14515-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/BI4XZMV5AQFS43FLZUOJWAX25WXPY5F4/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-52009 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-52009/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-8986 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-8986/"
      }
    ],
    "title": "govulncheck-vulndb-0.0.20241120T172248-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-11-21T00:00:00Z",
      "generator": {
        "date": "2024-11-21T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:14515-1",
      "initial_release_date": "2024-11-21T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-11-21T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20241120T172248-1.1.aarch64",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20241120T172248-1.1.aarch64",
                  "product_id": "govulncheck-vulndb-0.0.20241120T172248-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20241120T172248-1.1.ppc64le",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20241120T172248-1.1.ppc64le",
                  "product_id": "govulncheck-vulndb-0.0.20241120T172248-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20241120T172248-1.1.s390x",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20241120T172248-1.1.s390x",
                  "product_id": "govulncheck-vulndb-0.0.20241120T172248-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "govulncheck-vulndb-0.0.20241120T172248-1.1.x86_64",
                "product": {
                  "name": "govulncheck-vulndb-0.0.20241120T172248-1.1.x86_64",
                  "product_id": "govulncheck-vulndb-0.0.20241120T172248-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20241120T172248-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.aarch64"
        },
        "product_reference": "govulncheck-vulndb-0.0.20241120T172248-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20241120T172248-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.ppc64le"
        },
        "product_reference": "govulncheck-vulndb-0.0.20241120T172248-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20241120T172248-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.s390x"
        },
        "product_reference": "govulncheck-vulndb-0.0.20241120T172248-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "govulncheck-vulndb-0.0.20241120T172248-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.x86_64"
        },
        "product_reference": "govulncheck-vulndb-0.0.20241120T172248-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-52009",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-52009"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-52009",
          "url": "https://www.suse.com/security/cve/CVE-2024-52009"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-11-21T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-52009"
    },
    {
      "cve": "CVE-2024-8986",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-8986"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The grafana plugin SDK bundles build metadata into the binaries it compiles; this metadata includes the repository URI for the plugin being built, as retrieved by running `git remote get-url origin`.\n \nIf credentials are included in the repository URI (for instance, to allow for fetching of private dependencies), the final binary will contain the full URI, including said credentials.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.aarch64",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.ppc64le",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.s390x",
          "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-8986",
          "url": "https://www.suse.com/security/cve/CVE-2024-8986"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.aarch64",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.ppc64le",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.s390x",
            "openSUSE Tumbleweed:govulncheck-vulndb-0.0.20241120T172248-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-11-21T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2024-8986"
    }
  ]
}

fkie_cve-2024-52009

Vulnerability from fkie_nvd

Published

2024-11-08 23:15

Modified

2025-09-29 15:06

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://argo-cd.readthedocs.io/en/stable/operator-manual/security	Technical Description
security-advisories@github.com	https://github.com/runatlantis/atlantis/issues/4060	Issue Tracking
security-advisories@github.com	https://github.com/runatlantis/atlantis/pull/4667	Issue Tracking
security-advisories@github.com	https://github.com/runatlantis/atlantis/releases/tag/v0.30.0	Release Notes
security-advisories@github.com	https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp	Vendor Advisory, Exploit

Impacted products

	Vendor	Product	Version
	runatlantis	atlantis	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:runatlantis:atlantis:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "73AD0BFE-124A-4CC1-A4F6-D3AB65E4CA97",
              "versionEndExcluding": "0.30.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."
    },
    {
      "lang": "es",
      "value": "Atlantis es una aplicaci\u00f3n Golang autoalojada que escucha los eventos de solicitud de extracci\u00f3n de Terraform a trav\u00e9s de webhooks. Los registros de Atlantis contienen credenciales de GitHub (tokens `ghs_...`) cuando se rotan. Esto permite que un atacante pueda leer estos registros para hacerse pasar por la aplicaci\u00f3n Atlantis y realizar acciones en GitHub. Cuando se utiliza Atlantis para administrar una organizaci\u00f3n de GitHub, esto permite obtener privilegios de administraci\u00f3n en la organizaci\u00f3n. Esto se inform\u00f3 en #4060 y se corrigi\u00f3 en #4667. La correcci\u00f3n se incluy\u00f3 en Atlantis v0.30.0. Se recomienda a todos los usuarios que actualicen. No existen workarounds para esta vulnerabilidad."
    }
  ],
  "id": "CVE-2024-52009",
  "lastModified": "2025-09-29T15:06:51.653",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 8.5,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-11-08T23:15:05.030",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Technical Description"
      ],
      "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/security"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/runatlantis/atlantis/issues/4060"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/runatlantis/atlantis/pull/4667"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/runatlantis/atlantis/releases/tag/v0.30.0"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory",
        "Exploit"
      ],
      "url": "https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-532"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-52009 (GCVE-0-2024-52009)

Vulnerability from cvelistv5

ghsa-gppm-hq3p-h4rp

Vulnerability from github

Summary

Details

PoC

Impact

opensuse-su-2024:14515-1

Vulnerability from csaf_opensuse

fkie_cve-2024-52009

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature