Atlantis Information Disclosure Vulnerability via Publicly Exposed Version Details on the /status Endpoint

A vulnerability exists in Atlantis, a self-hosted Golang application that interacts with Terraform pull request events through webhooks. All versions of Atlantis expose detailed version information on the '/status' endpoint without requiring authentication. This information disclosure could enable attackers to identify and exploit known vulnerabilities associated with those specific versions, potentially compromising the application's security. The issue violates best practices by exposing sensitive metadata that could be leveraged in targeted attacks.

Impact

The vulnerability allows for unauthorized information disclosure, with exposed version details that could be used to identify and exploit known vulnerabilities in the disclosed software version. This could lead to a broader compromise of the application or service.

Reproduction

To reproduce this vulnerability, send a GET request to the '/status' endpoint of the Atlantis server. The response will include detailed version and build information, which is publicly accessible without authentication. This exposed information can then be cross-referenced with public vulnerability databases to identify potential exploits.