### [CVE-2024-52009](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52009)
![](https://img.shields.io/static/v1?label=Product&message=atlantis&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%200.30.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-532%3A%20Insertion%20of%20Sensitive%20Information%20into%20Log%20File&color=brightgreen)

### Description

Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Atlantis logs contains GitHub credentials (tokens `ghs_...`) when they are rotated. This enables an attacker able to read these logs to impersonate Atlantis application and to perform actions on GitHub. When Atlantis is used to administer a GitHub organization, this enables getting administration privileges on the organization. This was reported in #4060 and fixed in #4667 . The fix was included in Atlantis v0.30.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

### POC

#### Reference
- https://github.com/runatlantis/atlantis/security/advisories/GHSA-gppm-hq3p-h4rp

#### Github
No PoCs found on GitHub currently.