Git credentials are exposed in atlantis logs
Description
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens ghs_...) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/runatlantis/atlantisGo | < 0.30.0 | 0.30.0 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/runatlantis/atlantispkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 0.30.0+ 1 more
- (no CPE)range: < 0.30.0
- (no CPE)range: < 0.0.20241120T172248-1.1
- runatlantis/atlantisv5Range: < 0.30.0
Patches
Vulnerability mechanics
References
8- github.com/advisories/GHSA-gppm-hq3p-h4rpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-52009ghsaADVISORY
- argo-cd.readthedocs.io/en/stable/operator-manual/securityghsax_refsource_MISCWEB
- github.com/runatlantis/atlantis/issues/4060ghsax_refsource_MISCWEB
- github.com/runatlantis/atlantis/pull/4667ghsax_refsource_MISCWEB
- github.com/runatlantis/atlantis/releases/tag/v0.30.0ghsax_refsource_MISCWEB
- github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rpghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2024-3265ghsaWEB
News mentions
0No linked articles in our index yet.