Atlantis Logs Contain GitHub Credentials, Enabling Attacker to Impersonate Application and Access GitHub
CVE-2024-52009

Currently unrated

Key Information:

Vendor

Runatlantis

Status
Atlantis
Vendor
CVE Published:
8 November 2024

What is CVE-2024-52009?

Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens ghs_...) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

atlantis < 0.30.0

References

https://github.com/runatlantis/atlantis/security/advisori...
x_refsource_CONFIRM
https://github.com/runatlantis/atlantis/issues/4060
x_refsource_MISC
https://github.com/runatlantis/atlantis/pull/4667
x_refsource_MISC

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.