Search
Find a vulnerability
Search criteria
3 vulnerabilities by runatlantis
CVE-2025-58445 (GCVE-0-2025-58445)
Vulnerability from cvelistv5 – Published: 2025-09-06 19:47 – Updated: 2025-09-08 14:35
VLAI
Title
Atlantis Exposes Service Version Publicly on /status API Endpoint
Summary
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. All versions of Atlantis publicly expose detailed version information through its /status endpoint. This information disclosure could allow attackers to identify and target known vulnerabilities associated with the specific versions, potentially compromising the service's security posture. This issue does not currently have a fix.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/runatlantis/atlantis/security/… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| runatlantis | atlantis |
Affected:
<= 0.35.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58445",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T14:35:01.140280Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T14:35:06.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runatlantis/atlantis/security/advisories/GHSA-xh7v-965r-23f7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "atlantis",
"vendor": "runatlantis",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.35.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. All versions of Atlantis publicly expose detailed version information through its /status endpoint. This information disclosure could allow attackers to identify and target known vulnerabilities associated with the specific versions, potentially compromising the service\u0027s security posture. This issue does not currently have a fix."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-06T19:47:33.669Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/runatlantis/atlantis/security/advisories/GHSA-xh7v-965r-23f7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/runatlantis/atlantis/security/advisories/GHSA-xh7v-965r-23f7"
}
],
"source": {
"advisory": "GHSA-xh7v-965r-23f7",
"discovery": "UNKNOWN"
},
"title": "Atlantis Exposes Service Version Publicly on /status API Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-58445",
"datePublished": "2025-09-06T19:47:33.669Z",
"dateReserved": "2025-09-01T20:03:06.533Z",
"dateUpdated": "2025-09-08T14:35:06.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52009 (GCVE-0-2024-52009)
Vulnerability from cvelistv5 – Published: 2024-11-08 22:24 – Updated: 2024-11-12 19:19
VLAI
Title
Git credentials are exposed in atlantis logs
Summary
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/runatlantis/atlantis/security/… | x_refsource_CONFIRM |
| https://github.com/runatlantis/atlantis/issues/4060 | x_refsource_MISC |
| https://github.com/runatlantis/atlantis/pull/4667 | x_refsource_MISC |
| https://argo-cd.readthedocs.io/en/stable/operator… | x_refsource_MISC |
| https://github.com/runatlantis/atlantis/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| runatlantis | atlantis |
Affected:
< 0.30.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52009",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T19:19:05.416739Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T19:19:58.293Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "atlantis",
"vendor": "runatlantis",
"versions": [
{
"status": "affected",
"version": "\u003c 0.30.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-08T22:24:15.300Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp"
},
{
"name": "https://github.com/runatlantis/atlantis/issues/4060",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/runatlantis/atlantis/issues/4060"
},
{
"name": "https://github.com/runatlantis/atlantis/pull/4667",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/runatlantis/atlantis/pull/4667"
},
{
"name": "https://argo-cd.readthedocs.io/en/stable/operator-manual/security",
"tags": [
"x_refsource_MISC"
],
"url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/security"
},
{
"name": "https://github.com/runatlantis/atlantis/releases/tag/v0.30.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/runatlantis/atlantis/releases/tag/v0.30.0"
}
],
"source": {
"advisory": "GHSA-gppm-hq3p-h4rp",
"discovery": "UNKNOWN"
},
"title": "Git credentials are exposed in atlantis logs"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-52009",
"datePublished": "2024-11-08T22:24:15.300Z",
"dateReserved": "2024-11-04T17:46:16.779Z",
"dateUpdated": "2024-11-12T19:19:58.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24912 (GCVE-0-2022-24912)
Vulnerability from cvelistv5 – Published: 2022-07-29 10:00 – Updated: 2024-09-17 02:53
VLAI
Title
Timing Attack
Summary
The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events.
Severity
7.5 (High)
CWE
- Timing Attack
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBC… | x_refsource_MISC |
| https://github.com/runatlantis/atlantis/issues/2391 | x_refsource_MISC |
| https://github.com/runatlantis/atlantis/commit/48… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | github.com/runatlantis/atlantis/server/controllers/events |
Affected:
unspecified , < 0.19.7
(custom)
|
Date Public
2022-07-29 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:00.822Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/runatlantis/atlantis/issues/2391"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "github.com/runatlantis/atlantis/server/controllers/events",
"vendor": "n/a",
"versions": [
{
"lessThan": "0.19.7",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "cedws"
}
],
"datePublic": "2022-07-29T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Timing Attack",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-29T10:00:15.000Z",
"orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"shortName": "snyk"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/runatlantis/atlantis/issues/2391"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820"
}
],
"title": "Timing Attack",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "report@snyk.io",
"DATE_PUBLIC": "2022-07-29T10:00:02.670704Z",
"ID": "CVE-2022-24912",
"STATE": "PUBLIC",
"TITLE": "Timing Attack"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "github.com/runatlantis/atlantis/server/controllers/events",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.19.7"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "cedws"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The package github.com/runatlantis/atlantis/server/controllers/events before 0.19.7 are vulnerable to Timing Attack in the webhook event validator code, which does not use a constant-time comparison function to validate the webhook secret. It can allow an attacker to recover this secret as an attacker and then forge webhook events."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Timing Attack"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851",
"refsource": "MISC",
"url": "https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMRUNATLANTISATLANTISSERVERCONTROLLERSEVENTS-2950851"
},
{
"name": "https://github.com/runatlantis/atlantis/issues/2391",
"refsource": "MISC",
"url": "https://github.com/runatlantis/atlantis/issues/2391"
},
{
"name": "https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820",
"refsource": "MISC",
"url": "https://github.com/runatlantis/atlantis/commit/48870911974adddaa4c99c8089e79b7d787fa820"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
"assignerShortName": "snyk",
"cveId": "CVE-2022-24912",
"datePublished": "2022-07-29T10:00:15.439Z",
"dateReserved": "2022-02-24T00:00:00.000Z",
"dateUpdated": "2024-09-17T02:53:19.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}