CVE-2024-52009

CVE-2024-52009 is a high-severity security vulnerability in github.com/runatlantis/atlantis (go), affecting versions < 0.30.0. It is fixed in 0.30.0.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Git credentials are exposed in Atlantis logs

Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.

Atlantis logs contains GitHub credentials (tokens ghs_...) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub.

When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization.

This was reported in https://github.com/runatlantis/atlantis/issues/4060 and fixed in https://github.com/runatlantis/atlantis/pull/4667 . The fix was included in Atlantis v0.30.0.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

While auditing the Kubernetes/Argo CD/Atlantis deployment of some company, the following set-up was encountered:

  • Most employees have read-only access to Argo CD, enabling them to see the health of deployed applications.
  • Atlantis was deployed as an Argo CD application.
  • Atlantis was used to manage the configuration of a GitHub organization (such as team members), using Terraform's GitHub integration.

Atlantis logs on Argo CD contained lines such as:

{"level":"debug","ts":"2024-11-07T17:58:30.636Z","caller":"vcs/gh_app_creds_rotator.go:58","msg":"Refreshing git tokens for Github App","json":{}}
{"level":"debug","ts":"2024-11-07T17:58:30.637Z","caller":"vcs/gh_app_creds_rotator.go:64","msg":"token ghs_[REDACTED]","json":{}}
{"level":"debug","ts":"2024-11-07T17:58:30.637Z","caller":"vcs/git_cred_writer.go:36","msg":"git credentials file has expected contents, not modifying","json":{}}

This enabled employees with read-only access to Argo CD to get administration privileges on the GitHub organization, compromising all repositories. As some repositories were used for Infrastructure-as-Code deployment (with Atlantis), this enabled the security auditors to get cluster admin privileges on most Kubernetes clusters.

While the set-up "most employees have read-only access to Argo CD" can be seen as dangerous, this should not incur such security risk (cf. https://argo-cd.readthedocs.io/en/stable/operator-manual/security/). The main issue here was that the logs contained privileged GitHub tokens as they were obtained by Atlantis.

This issue was already reported (https://github.com/runatlantis/atlantis/issues/4060) and fixed (https://github.com/runatlantis/atlantis/pull/4667) but no security advisory was published on https://github.com/runatlantis/atlantis/security and no CVE was assigned (https://app.opencve.io/cve/?&vendor=runatlantis&product=atlantis only lists CVE-2022-24912, which is unrelated).

Could you please publish a security advisory?

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

cf. https://github.com/runatlantis/atlantis/issues/4060 for more details.

Impact

What kind of vulnerability is it? Who is impacted?

  • This leaks sensitive GitHub tokens in the log files (CWE-532: Insertion of Sensitive Information into Log File).
  • This could enable anyone with log read access to compromiseGitHub organizations managed by Atlantis.
  • This impact at least users using Atlantis with Github application and integration.

Affected versions

github.com/runatlantis/atlantis (< 0.30.0)

Security releases

github.com/runatlantis/atlantis → 0.30.0 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade github.com/runatlantis/atlantis to 0.30.0 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2024-52009? CVE-2024-52009 is a high-severity security vulnerability in github.com/runatlantis/atlantis (go), affecting versions < 0.30.0. It is fixed in 0.30.0.
  2. Which versions of github.com/runatlantis/atlantis are affected by CVE-2024-52009? github.com/runatlantis/atlantis (go) versions < 0.30.0 is affected.
  3. Is there a fix for CVE-2024-52009? Yes. CVE-2024-52009 is fixed in 0.30.0. Upgrade to this version or later.
  4. Is CVE-2024-52009 exploitable, and should I be worried? Whether CVE-2024-52009 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2024-52009 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2024-52009? Upgrade github.com/runatlantis/atlantis to 0.30.0 or later.

Other vulnerabilities in github.com/runatlantis/atlantis

Stop the waste.
Protect your environment with Kodem.