5.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-31216

GHSA ID

GHSA-v554-xwgw-hc3w

EPSS Score

0.30746%

CWE

CWE-532

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-31216

CVE-2024-31216: source-controller leaks Azure Storage SAS token into logs

Impact

When source-controller is configured to use an Azure SAS token when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires.

Patches

This vulnerability was fixed in source-controller v1.2.5.

Workarounds

There is no workaround for this vulnerability except for using a different auth mechanism such as Azure Workload Identity.

Credits

This issue was reported and fixed by Jagpreet Singh Tamber (@jagpreetstamber) from the Azure Arc team.

References

https://github.com/fluxcd/source-controller/pull/1430

For more information

If you have any questions or comments about this advisory:

Open an issue in the source-controller repository.
Contact us at the CNCF Flux Channel.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-31216

CVE-2024-31216:

5.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-31216

GHSA ID

GHSA-v554-xwgw-hc3w

EPSS Score

0.30746%

CWE

CWE-532

Published

5/15/2024

Updated

5/15/2024

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/fluxcd/source-controller	go	< 1.2.5	1.2.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from error messages containing full Azure storage URLs with SAS tokens in query parameters. The commit diff shows these functions were modified to add serror.SanitizeError() wrappers around returned errors. Prior to the patch, they directly returned errors containing raw URLs through fmt.Errorf() calls, which would log sensitive SAS tokens. The added sanitization in the patch confirms these were the leakage points.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-31216: source-controller leaks Azure Storage SAS token into logs

Impact

Patches

Workarounds

Credits

References

For more information

CVE-2024-31216:

5.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-31216: source-controller leaks Azure Storage SAS token into logs

Impact

Patches

Workarounds

Credits

References

For more information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.1

5.1

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI