Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/runatlantis/atlantis: CVE-2024-52009 #3266

Closed
GoVulnBot opened this issue Nov 9, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/runatlantis/atlantis: CVE-2024-52009 #3266

GoVulnBot opened this issue Nov 9, 2024 · 1 comment
Labels
duplicate high priority triaged

Comments

@GoVulnBot
Copy link

Advisory CVE-2024-52009 references a vulnerability in the following Go modules:

Module
github.com/runatlantis/atlantis

Description:
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens ghs_...) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this ...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/runatlantis/atlantis
      vulnerable_at: 0.30.0
summary: CVE-2024-52009 in github.com/runatlantis/atlantis
cves:
    - CVE-2024-52009
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52009
    - fix: https://github.com/runatlantis/atlantis/pull/4667
    - report: https://github.com/runatlantis/atlantis/issues/4060
    - web: https://argo-cd.readthedocs.io/en/stable/operator-manual/security
    - web: https://github.com/runatlantis/atlantis/releases/tag/v0.30.0
    - web: https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp
source:
    id: CVE-2024-52009
    created: 2024-11-09T01:01:23.552097242Z
review_status: UNREVIEWED
@tatianab
Copy link
Contributor

Duplicate of #3265

@tatianab tatianab marked this as a duplicate of #3265 Nov 12, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
duplicate high priority triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tatianab @GoVulnBot