Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/runatlantis/atlantis: CVE-2024-52009 #3266

Closed
GoVulnBot opened this issue Nov 9, 2024 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/runatlantis/atlantis: CVE-2024-52009 #3266

GoVulnBot opened this issue Nov 9, 2024 · 1 comment
Labels
duplicate high priority triaged

Comments

@GoVulnBot
Copy link

Advisory CVE-2024-52009 references a vulnerability in the following Go modules:

Module
github.com/runatlantis/atlantis

Description:
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens ghs_...) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this ...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/runatlantis/atlantis
      vulnerable_at: 0.30.0
summary: CVE-2024-52009 in github.com/runatlantis/atlantis
cves:
    - CVE-2024-52009
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-52009
    - fix: https://github.com/runatlantis/atlantis/pull/4667
    - report: https://github.com/runatlantis/atlantis/issues/4060
    - web: https://argo-cd.readthedocs.io/en/stable/operator-manual/security
    - web: https://github.com/runatlantis/atlantis/releases/tag/v0.30.0
    - web: https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp
source:
    id: CVE-2024-52009
    created: 2024-11-09T01:01:23.552097242Z
review_status: UNREVIEWED
@tatianab
Copy link
Contributor

Duplicate of #3265

@tatianab tatianab marked this as a duplicate of #3265 Nov 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate high priority triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tatianab @GoVulnBot