CVE-2024-52009: 
Atlantis vulnerability analysis and mitigation

Atlantis, a self-hosted golang application that listens for Terraform pull request events via webhooks, was found to expose GitHub credentials (tokens ghs_...) in its logs when they are rotated. This vulnerability, tracked as CVE-2024-52009, was discovered in versions prior to 0.30.0. The exposure of these credentials could allow attackers with log access to impersonate the Atlantis application and perform unauthorized actions on GitHub (GitHub Advisory).

The vulnerability stems from debug-level logging that explicitly outputs GitHub application tokens during the token rotation process. The issue was specifically identified in the logging functionality within the vcs/gh_app_creds_rotator.go file. The vulnerability has been assigned a CVSS v4.0 base score of 8.5 (High), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H. This indicates a network-accessible vulnerability with low attack complexity that requires low privileges and no user interaction (NVD).

The exposure of GitHub tokens in log files could enable anyone with log read access to compromise GitHub organizations managed by Atlantis. In environments where Atlantis is used to administer a GitHub organization, this vulnerability could lead to obtaining administration privileges on the organization. The impact is particularly severe in setups where employees have read-only access to logs, as it could lead to unauthorized access to sensitive repositories and potentially escalate to cluster admin privileges on Kubernetes clusters (GitHub Advisory).

The vulnerability has been fixed in Atlantis version 0.30.0. Users are strongly advised to upgrade to this version or later. The fix involves removing the sensitive token information from the logs. There are no known workarounds for this vulnerability other than upgrading to the patched version (GitHub Release).