CVE-2024-52009
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-52009
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-52009.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-52009
- Aliases
- Downstream
- Related
- Published
- 2024-11-08T23:15:05Z
- Modified
- 2025-07-01T16:09:57.759956Z
- Summary
- [none]
- Details
-
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens
ghs_...) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. - References
-
- https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp
- https://github.com/runatlantis/atlantis/issues/4060
- https://argo-cd.readthedocs.io/en/stable/operator-manual/security
- https://github.com/runatlantis/atlantis/pull/4667
- https://github.com/runatlantis/atlantis/releases/tag/v0.30.0
Affected packages
Git / github.com/runatlantis/atlantis
Affected ranges
- Type
- GIT
- Repo
- https://github.com/runatlantis/atlantis
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.10.0
v0.10.1
v0.10.2
v0.11.0
v0.11.1
v0.12.0
v0.13.0
v0.14.0
v0.15.0
v0.15.1
v0.16.0
v0.16.1
v0.17.0
v0.17.0-beta
v0.17.1
v0.17.2
v0.17.3
v0.17.4
v0.17.5
v0.17.6
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.18.4
v0.18.5
v0.19.0
v0.19.1
v0.19.2
v0.19.2-pre.20220408
v0.19.3
v0.19.3-pre.20220408
v0.19.3-pre.20220429
v0.19.4
v0.19.4-pre.20220513
v0.19.5
v0.19.5-pre.20220616
v0.19.5-pre.20220622
v0.19.5-pre.20220628
v0.19.6
v0.19.7
v0.19.7-pre.20220713
v0.19.8
v0.19.8-pre.20220722
v0.19.8-pre.20220810
v0.19.9
v0.19.9-pre.20220822
v0.19.9-pre.20220908
v0.19.9-pre.20220912
v0.19.9-pre.20220923
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.20.0
v0.20.1
v0.20.2-pre.20221106
v0.21.0
v0.21.0-pre.20221114
v0.21.0-pre.20221120
v0.21.0-pre.20221207
v0.21.1-pre.20221213
v0.22.0
v0.22.0-pre.20221219
v0.22.0-pre.20221226
v0.22.1
v0.22.2
v0.22.3
v0.22.3-pre.20230110
v0.22.3-pre.20230111
v0.23.0
v0.23.0-pre.20230125
v0.23.0-pre.20230209
v0.23.0-pre.20230222
v0.23.1
v0.23.2
v0.23.3
v0.23.4
v0.23.5
v0.24.0
v0.24.1
v0.24.2
v0.24.3
v0.24.4
v0.25.0
v0.26.0
v0.28.0
v0.28.2
v0.29.0
v0.3.0
v0.3.1
v0.3.10
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.3.8
v0.3.9
v0.4.0
v0.4.1
v0.4.10
v0.4.11
v0.4.12
v0.4.13
v0.4.14
v0.4.15
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.4.6
v0.4.7
v0.4.8
v0.4.9
v0.5.0
v0.5.1
v0.6.0
v0.7.0
v0.7.1
v0.7.2
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.9.0