Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
source-controller leaks theAzure Storage SAS token into logs on connection errors
Vulnerability Description
The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to version 1.2.5, when source-controller was configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. This vulnerability was fixed in source-controller v1.2.5. There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Vulnerability Type
通过日志文件的信息暴露
Vulnerability Title
Source controller 安全漏洞
Vulnerability Description
Source controller是Flux项目的一个组件。 source-controller 1.2.5之前版本存在安全漏洞。攻击者利用该漏洞可以获取对 Azure Blob 存储的访问权限。
CVSS Information
N/A
Vulnerability Type
N/A