Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in github.com/runatlantis/atlantis: GHSA-gppm-hq3p-h4rp #3265

Open
GoVulnBot opened this issue Nov 8, 2024 · 1 comment

Comments

@GoVulnBot
Copy link

Advisory GHSA-gppm-hq3p-h4rp references a vulnerability in the following Go modules:

Module
github.com/runatlantis/atlantis

Description:

Summary

Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

Atlantis logs contains GitHub credentials (tokens ghs_...) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub.

When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization.

This was reported in https://github.com/runatl...

References:

Cross references:

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/runatlantis/atlantis
      versions:
        - fixed: 0.30.0
      vulnerable_at: 0.29.0
summary: Git credentials are exposed in Atlantis logs in github.com/runatlantis/atlantis
ghsas:
    - GHSA-gppm-hq3p-h4rp
references:
    - advisory: https://github.com/advisories/GHSA-gppm-hq3p-h4rp
    - advisory: https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp
    - fix: https://github.com/runatlantis/atlantis/pull/4667
    - report: https://github.com/runatlantis/atlantis/issues/4060
    - web: https://github.com/runatlantis/atlantis/releases/tag/v0.30.0
source:
    id: GHSA-gppm-hq3p-h4rp
    created: 2024-11-08T20:01:18.335934548Z
review_status: UNREVIEWED

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/626158 mentions this issue: data/reports: add 4 NEEDS_REVIEW reports

gopherbot pushed a commit that referenced this issue Nov 20, 2024
  - data/reports/GO-2024-3122.yaml
  - data/reports/GO-2024-3140.yaml
  - data/reports/GO-2024-3259.yaml
  - data/reports/GO-2024-3265.yaml

Updates #3122
Updates #3140
Updates #3259
Updates #3265

Change-Id: I3fb8a3af0ccd59ed8dd5d130889e10601c0a9472
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/626158
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Zvonimir Pavlinovic <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
Auto-Submit: Tatiana Bradley <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants