CVE-2024-31216

Name of the Vulnerable Software and Affected Versions source-controller versions prior to 1.2.5

Description The source-controller is a Kubernetes operator that implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. It is specialized in artifacts acquisition from external sources such as Git, OCI, Helm repositories, and S3-compatible buckets. When the source-controller is configured to use an Azure SAS token when connecting to Azure Blob Storage, the token is logged along with the Azure URL when the controller encounters a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires.

Recommendations For versions prior to 1.2.5, update to version 1.2.5 to fix the vulnerability. As a temporary workaround, consider using a different auth mechanism such as Azure Workload Identity.