Go modules package
github.com/runatlantis/atlantis
pkg:golang/github.com/runatlantis/atlantis
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-58445 | — | <= 0.35.1 | — | Sep 6, 2025 | Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. All versions of Atlantis publicly expose detailed version information through its /status endpoint. This information disclosure could allow attackers to identify and target k | ||
| CVE-2024-52009 | — | < 0.30.0 | 0.30.0 | Nov 8, 2024 | Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and t | ||
| CVE-2022-24912 | — | < 0.19.7 | 0.19.7 | Jul 29, 2022 | The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this |
- CVE-2025-58445Sep 6, 2025affected <= 0.35.1
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. All versions of Atlantis publicly expose detailed version information through its /status endpoint. This information disclosure could allow attackers to identify and target k
- CVE-2024-52009Nov 8, 2024affected < 0.30.0fixed 0.30.0
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and t
- CVE-2022-24912Jul 29, 2022affected < 0.19.7fixed 0.19.7
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this