source-controller leaks Azure Storage SAS token into logs
Moderate severity
GitHub Reviewed
Published
May 15, 2024
in
fluxcd/source-controller
•
Updated May 15, 2024
Package
Affected versions
< 1.2.5
Patched versions
1.2.5
Description
Published by the National Vulnerability Database
May 15, 2024
Published to the GitHub Advisory Database
May 15, 2024
Reviewed
May 15, 2024
Last updated
May 15, 2024
Impact
When source-controller is configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires.
Patches
This vulnerability was fixed in source-controller v1.2.5.
Workarounds
There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.
Credits
This issue was reported and fixed by Jagpreet Singh Tamber (@jagpreetstamber) from the Azure Arc team.
References
fluxcd/source-controller#1430
For more information
If you have any questions or comments about this advisory:
References