Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2024-29893 (GCVE-0-2024-29893)
Vulnerability from cvelistv5 – Published: 2024-03-29 15:07 – Updated: 2024-08-02 01:17
VLAI
EPSS
Title
Uncontrolled Resource Consumption vulnerability in ArgoCD's repo server
Summary
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD's helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it. A patch for this vulnerability has been released in v2.10.3, v2.9.8, and v2.8.12.
Severity
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/argoproj/argo-cd/security/advi… | x_refsource_CONFIRM |
| https://github.com/argoproj/argo-cd/commit/14f681… | x_refsource_MISC |
| https://github.com/argoproj/argo-cd/commit/36b8a1… | x_refsource_MISC |
| https://github.com/argoproj/argo-cd/commit/3e5a87… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-29893",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-29T18:59:56.278009Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-06T19:22:49.108Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:17:58.029Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.4.0, \u003c 2.8.14"
},
{
"status": "affected",
"version": "\u003e= 2.9.0, \u003c 2.9.10"
},
{
"status": "affected",
"version": "\u003e= 2.10.0, \u003c 2.10.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it\u0027s possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD\u0027s helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it. A patch for this vulnerability has been released in v2.10.3, v2.9.8, and v2.8.12."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-29T15:07:51.057Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd"
}
],
"source": {
"advisory": "GHSA-jhwx-mhww-rgc3",
"discovery": "UNKNOWN"
},
"title": "Uncontrolled Resource Consumption vulnerability in ArgoCD\u0027s repo server"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-29893",
"datePublished": "2024-03-29T15:07:51.057Z",
"dateReserved": "2024-03-21T15:12:08.998Z",
"dateUpdated": "2024-08-02T01:17:58.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2024-29893",
"date": "2026-06-01",
"epss": "0.00821",
"percentile": "0.747"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.4.0\", \"versionEndExcluding\": \"2.8.14\", \"matchCriteriaId\": \"1BE60261-08D8-49D9-922D-58F6AE49CE29\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.9.0\", \"versionEndExcluding\": \"2.9.10\", \"matchCriteriaId\": \"5F147EC5-95CE-449F-AAAD-66B18EE07307\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.10.0\", \"versionEndExcluding\": \"2.10.5\", \"matchCriteriaId\": \"D06F260F-329E-470E-BEEC-5927B9EE1735\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it\u0027s possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD\u0027s helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it. A patch for this vulnerability has been released in v2.10.3, v2.9.8, and v2.8.12.\"}, {\"lang\": \"es\", \"value\": \"Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. Todas las versiones de ArgoCD a partir de la v2.4 tienen un error por el cual el componente del servidor de repositorio de ArgoCD es vulnerable a un vector de ataque de denegaci\\u00f3n de servicio. Espec\\u00edficamente, es posible bloquear el componente del servidor de repositorio debido a un error de falta de memoria al se\\u00f1alarlo a un registro de Helm malicioso. La funci\\u00f3n loadRepoIndex() en el paquete helm de ArgoCD no limita el tama\\u00f1o ni el tiempo al recuperar los datos. Lo recupera y crea un segmento de bytes a partir de los datos recuperados de una sola vez. Si el registro se implementa para enviar datos continuamente, el servidor de repositorio seguir\\u00e1 asignando memoria hasta que se agote. Se lanz\\u00f3 un parche para esta vulnerabilidad en las versiones 2.10.3, 2.9.8 y 2.8.12.\"}]",
"id": "CVE-2024-29893",
"lastModified": "2025-01-09T14:42:05.183",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}]}",
"published": "2024-03-29T15:15:12.740",
"references": "[{\"url\": \"https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2024-29893\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-03-29T15:15:12.740\",\"lastModified\":\"2025-01-09T14:42:05.183\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it\u0027s possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD\u0027s helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it. A patch for this vulnerability has been released in v2.10.3, v2.9.8, and v2.8.12.\"},{\"lang\":\"es\",\"value\":\"Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. Todas las versiones de ArgoCD a partir de la v2.4 tienen un error por el cual el componente del servidor de repositorio de ArgoCD es vulnerable a un vector de ataque de denegaci\u00f3n de servicio. Espec\u00edficamente, es posible bloquear el componente del servidor de repositorio debido a un error de falta de memoria al se\u00f1alarlo a un registro de Helm malicioso. La funci\u00f3n loadRepoIndex() en el paquete helm de ArgoCD no limita el tama\u00f1o ni el tiempo al recuperar los datos. Lo recupera y crea un segmento de bytes a partir de los datos recuperados de una sola vez. Si el registro se implementa para enviar datos continuamente, el servidor de repositorio seguir\u00e1 asignando memoria hasta que se agote. Se lanz\u00f3 un parche para esta vulnerabilidad en las versiones 2.10.3, 2.9.8 y 2.8.12.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.4.0\",\"versionEndExcluding\":\"2.8.14\",\"matchCriteriaId\":\"1BE60261-08D8-49D9-922D-58F6AE49CE29\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.9.0\",\"versionEndExcluding\":\"2.9.10\",\"matchCriteriaId\":\"5F147EC5-95CE-449F-AAAD-66B18EE07307\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.10.0\",\"versionEndExcluding\":\"2.10.5\",\"matchCriteriaId\":\"D06F260F-329E-470E-BEEC-5927B9EE1735\"}]}]}],\"references\":[{\"url\":\"https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3\", \"name\": \"https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d\", \"name\": \"https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59\", \"name\": \"https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd\", \"name\": \"https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T01:17:58.029Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-29893\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-03-29T18:59:56.278009Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-06T19:22:46.280Z\"}}], \"cna\": {\"title\": \"Uncontrolled Resource Consumption vulnerability in ArgoCD\u0027s repo server\", \"source\": {\"advisory\": \"GHSA-jhwx-mhww-rgc3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"argoproj\", \"product\": \"argo-cd\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.4.0, \u003c 2.8.14\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.9.0, \u003c 2.9.10\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.10.0, \u003c 2.10.5\"}]}], \"references\": [{\"url\": \"https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3\", \"name\": \"https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d\", \"name\": \"https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59\", \"name\": \"https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd\", \"name\": \"https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it\u0027s possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD\u0027s helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out of it. A patch for this vulnerability has been released in v2.10.3, v2.9.8, and v2.8.12.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400: Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-03-29T15:07:51.057Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2024-29893\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-02T01:17:58.029Z\", \"dateReserved\": \"2024-03-21T15:12:08.998Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-03-29T15:07:51.057Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
RHSA-2024_1752
Vulnerability from csaf_redhat - Published: 2024-04-10 12:21 - Updated: 2024-11-24 15:00Summary
Red Hat Security Advisory: GitOps 1.12.1- Argo CD CLI and MicroShift GitOps security update
Severity
Important
Notes
Topic: An update is now available for Red Hat OpenShift GitOps v1.12.1 for Argo CD CLI and MicroShift GitOps. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Errata Advisory for Red Hat OpenShift GitOps v1.12.1- Argo CD CLI and MicroShift GitOps.
Security Fix(es):
* argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment (CVE-2024-21661)
* argo-cd: Users with `create` but not `override` privileges can perform local
sync (CVE-2023-50726)
* argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss (CVE-2024-21652)
* argo-cd: uncontrolled resource consumption vulnerability (CVE-2024-29893)
* argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow (CVE-2024-21662)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in the Argo CD package. An improper validation bug allows users to sync local manifests on app creation, who have create privileges but not override privileges. All other restrictions, including AppProject restrictions, are still enforced. The only restriction that is not enforced is that the manifests come from some approved git/Helm/OCI source.
6.4 (Medium)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A bypass of brute force protection flaw was found in Argo CD. Since login attempts are stored only in memory, every time the server restarts, that number is lost and unlimited login attempts can be made. It is possible to bypass brute force protections by chaining this issue with a denial of service issue, such as CVE-2024-21661.
5.4 (Medium)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Argo CD that may result in a remote denial of service. The expireOldFailedAttempts function modifies an array while it is being iterated over. This issue may cause an application crash when executed in a multi-threaded environment if two threads interact with the same array simultaneously.
7.5 (High)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Argo CD, where the rate limit for login attempts may be bypassed due to an incomplete fix for CVE-2020-8827. The cache-based mechanism is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by sending excessive login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account. This enables attackers to perform brute force attacks at an accelerated rate, especially targeting the default admin account.
5.4 (Medium)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
The ArgoCD repo-server component is vulnerable to a denial of service attack, where it is possible to crash the repo server component through an out-of-memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD's helm package does not limit the size or time while fetching the data. It fetches and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out.
6.5 (Medium)
Affected products
Fixed
14 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64 | — |
Vendor Fix
fix
|
Threats
Impact
Moderate
References
42 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat OpenShift GitOps v1.12.1 for Argo CD CLI and MicroShift GitOps. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Errata Advisory for Red Hat OpenShift GitOps v1.12.1- Argo CD CLI and MicroShift GitOps.\n\nSecurity Fix(es):\n\n* argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment (CVE-2024-21661)\n\n* argo-cd: Users with `create` but not `override` privileges can perform local\nsync (CVE-2023-50726)\n\n* argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss (CVE-2024-21652)\n\n* argo-cd: uncontrolled resource consumption vulnerability (CVE-2024-29893)\n\n* argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow (CVE-2024-21662)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2024:1752",
"url": "https://access.redhat.com/errata/RHSA-2024:1752"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://docs.openshift.com/gitops/latest/understanding_openshift_gitops/about-redhat-openshift-gitops.html",
"url": "https://docs.openshift.com/gitops/latest/understanding_openshift_gitops/about-redhat-openshift-gitops.html"
},
{
"category": "external",
"summary": "2269479",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269479"
},
{
"category": "external",
"summary": "2270170",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270170"
},
{
"category": "external",
"summary": "2270173",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270173"
},
{
"category": "external",
"summary": "2270182",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270182"
},
{
"category": "external",
"summary": "2272211",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272211"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_1752.json"
}
],
"title": "Red Hat Security Advisory: GitOps 1.12.1- Argo CD CLI and MicroShift GitOps security update",
"tracking": {
"current_release_date": "2024-11-24T15:00:25+00:00",
"generator": {
"date": "2024-11-24T15:00:25+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2024:1752",
"initial_release_date": "2024-04-10T12:21:14+00:00",
"revision_history": [
{
"date": "2024-04-10T12:21:14+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2024-04-10T12:21:14+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-24T15:00:25+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift GitOps 1.12",
"product": {
"name": "Red Hat OpenShift GitOps 1.12",
"product_id": "8Base-GitOps-1.12",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_gitops:1.12::el8"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift GitOps 1.12",
"product": {
"name": "Red Hat OpenShift GitOps 1.12",
"product_id": "9Base-GitOps-1.12",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_gitops:1.12::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift GitOps"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"product": {
"name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"product_id": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-5.el8?arch=src"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"product": {
"name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"product_id": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-4.el9?arch=src"
}
}
},
{
"category": "product_version",
"name": "microshift-gitops-0:1.12.1-4.el9.src",
"product": {
"name": "microshift-gitops-0:1.12.1-4.el9.src",
"product_id": "microshift-gitops-0:1.12.1-4.el9.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/microshift-gitops@1.12.1-4.el9?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"product": {
"name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"product_id": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-5.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"product": {
"name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"product_id": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli-redistributable@1.12.1-5.el8?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"product": {
"name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"product_id": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-4.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64",
"product": {
"name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64",
"product_id": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli-redistributable@1.12.1-4.el9?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "microshift-gitops-0:1.12.1-4.el9.x86_64",
"product": {
"name": "microshift-gitops-0:1.12.1-4.el9.x86_64",
"product_id": "microshift-gitops-0:1.12.1-4.el9.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/microshift-gitops@1.12.1-4.el9?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"product": {
"name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"product_id": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-5.el8?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"product": {
"name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"product_id": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-4.el9?arch=aarch64"
}
}
},
{
"category": "product_version",
"name": "microshift-gitops-0:1.12.1-4.el9.aarch64",
"product": {
"name": "microshift-gitops-0:1.12.1-4.el9.aarch64",
"product_id": "microshift-gitops-0:1.12.1-4.el9.aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/microshift-gitops@1.12.1-4.el9?arch=aarch64"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"product": {
"name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"product_id": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-5.el8?arch=ppc64le"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"product": {
"name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"product_id": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/openshift-gitops-argocd-cli@1.12.1-5.el8?arch=s390x"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"product": {
"name": "microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"product_id": "microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/microshift-gitops-release-info@1.12.1-4.el9?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64 as a component of Red Hat OpenShift GitOps 1.12",
"product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64"
},
"product_reference": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"relates_to_product_reference": "8Base-GitOps-1.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le as a component of Red Hat OpenShift GitOps 1.12",
"product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le"
},
"product_reference": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x as a component of Red Hat OpenShift GitOps 1.12",
"product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x"
},
"product_reference": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"relates_to_product_reference": "8Base-GitOps-1.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.src as a component of Red Hat OpenShift GitOps 1.12",
"product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src"
},
"product_reference": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"relates_to_product_reference": "8Base-GitOps-1.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64 as a component of Red Hat OpenShift GitOps 1.12",
"product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64"
},
"product_reference": "openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"relates_to_product_reference": "8Base-GitOps-1.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64 as a component of Red Hat OpenShift GitOps 1.12",
"product_id": "8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64"
},
"product_reference": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"relates_to_product_reference": "8Base-GitOps-1.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "microshift-gitops-0:1.12.1-4.el9.aarch64 as a component of Red Hat OpenShift GitOps 1.12",
"product_id": "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64"
},
"product_reference": "microshift-gitops-0:1.12.1-4.el9.aarch64",
"relates_to_product_reference": "9Base-GitOps-1.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "microshift-gitops-0:1.12.1-4.el9.src as a component of Red Hat OpenShift GitOps 1.12",
"product_id": "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src"
},
"product_reference": "microshift-gitops-0:1.12.1-4.el9.src",
"relates_to_product_reference": "9Base-GitOps-1.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "microshift-gitops-0:1.12.1-4.el9.x86_64 as a component of Red Hat OpenShift GitOps 1.12",
"product_id": "9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64"
},
"product_reference": "microshift-gitops-0:1.12.1-4.el9.x86_64",
"relates_to_product_reference": "9Base-GitOps-1.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "microshift-gitops-release-info-0:1.12.1-4.el9.noarch as a component of Red Hat OpenShift GitOps 1.12",
"product_id": "9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch"
},
"product_reference": "microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"relates_to_product_reference": "9Base-GitOps-1.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64 as a component of Red Hat OpenShift GitOps 1.12",
"product_id": "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64"
},
"product_reference": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"relates_to_product_reference": "9Base-GitOps-1.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.src as a component of Red Hat OpenShift GitOps 1.12",
"product_id": "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src"
},
"product_reference": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"relates_to_product_reference": "9Base-GitOps-1.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64 as a component of Red Hat OpenShift GitOps 1.12",
"product_id": "9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64"
},
"product_reference": "openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"relates_to_product_reference": "9Base-GitOps-1.12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64 as a component of Red Hat OpenShift GitOps 1.12",
"product_id": "9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
},
"product_reference": "openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64",
"relates_to_product_reference": "9Base-GitOps-1.12"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-50726",
"cwe": {
"id": "CWE-269",
"name": "Improper Privilege Management"
},
"discovery_date": "2024-03-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2269479"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the Argo CD package. An improper validation bug allows users to sync local manifests on app creation, who have create privileges but not override privileges. All other restrictions, including AppProject restrictions, are still enforced. The only restriction that is not enforced is that the manifests come from some approved git/Helm/OCI source.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CD: Users with `create` but not `override` privileges can perform local sync",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-50726"
},
{
"category": "external",
"summary": "RHBZ#2269479",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269479"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-50726",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-50726"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-50726",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50726"
},
{
"category": "external",
"summary": "https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac",
"url": "https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978",
"url": "https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm"
}
],
"release_date": "2024-03-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-04-10T12:21:14+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1752"
},
{
"category": "workaround",
"details": "To mitigate the risk of branch protection bypass, remove applications and create RBAC access.",
"product_ids": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CD: Users with `create` but not `override` privileges can perform local sync"
},
{
"cve": "CVE-2024-21652",
"cwe": {
"id": "CWE-307",
"name": "Improper Restriction of Excessive Authentication Attempts"
},
"discovery_date": "2024-03-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2270170"
}
],
"notes": [
{
"category": "description",
"text": "A bypass of brute force protection flaw was found in Argo CD. Since login attempts are stored only in memory, every time the server restarts, that number is lost and unlimited login attempts can be made. It is possible to bypass brute force protections by chaining this issue with a denial of service issue, such as CVE-2024-21661.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-21652"
},
{
"category": "external",
"summary": "RHBZ#2270170",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270170"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-21652",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21652"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21652",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21652"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv"
}
],
"release_date": "2024-03-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-04-10T12:21:14+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1752"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss"
},
{
"cve": "CVE-2024-21661",
"cwe": {
"id": "CWE-567",
"name": "Unsynchronized Access to Shared Data in a Multithreaded Context"
},
"discovery_date": "2024-03-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2270173"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Argo CD that may result in a remote denial of service. The expireOldFailedAttempts function modifies an array while it is being iterated over. This issue may cause an application crash when executed in a multi-threaded environment if two threads interact with the same array simultaneously.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-21661"
},
{
"category": "external",
"summary": "RHBZ#2270173",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270173"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-21661",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21661"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21661",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21661"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7"
}
],
"release_date": "2024-03-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-04-10T12:21:14+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1752"
},
{
"category": "workaround",
"details": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
"product_ids": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment"
},
{
"cve": "CVE-2024-21662",
"cwe": {
"id": "CWE-307",
"name": "Improper Restriction of Excessive Authentication Attempts"
},
"discovery_date": "2024-03-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2270182"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Argo CD, where the rate limit for login attempts may be bypassed due to an incomplete fix for CVE-2020-8827. The cache-based mechanism is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by sending excessive login attempts for different users, thereby pushing out the admin account\u0027s failed attempts and effectively resetting the rate limit for that account. This enables attackers to perform brute force attacks at an accelerated rate, especially targeting the default admin account.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-21662"
},
{
"category": "external",
"summary": "RHBZ#2270182",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2270182"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-21662",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21662"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-21662",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21662"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d",
"url": "https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b",
"url": "https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456",
"url": "https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454"
}
],
"release_date": "2024-03-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-04-10T12:21:14+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1752"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow"
},
{
"cve": "CVE-2024-29893",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2024-03-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2272211"
}
],
"notes": [
{
"category": "description",
"text": "The ArgoCD repo-server component is vulnerable to a denial of service attack, where it is possible to crash the repo server component through an out-of-memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD\u0027s helm package does not limit the size or time while fetching the data. It fetches and creates a byte slice from the retrieved data in one go. If the registry is implemented to push data continuously, the repo server will keep allocating memory until it runs out.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argo-cd: uncontrolled memory allocation vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2024-29893"
},
{
"category": "external",
"summary": "RHBZ#2272211",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2272211"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2024-29893",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29893"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2024-29893",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29893"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d",
"url": "https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59",
"url": "https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd",
"url": "https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3"
}
],
"release_date": "2024-03-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2024-04-10T12:21:14+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2024:1752"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.aarch64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.ppc64le",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.s390x",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.src",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-5.el8.x86_64",
"8Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-5.el8.x86_64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:microshift-gitops-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:microshift-gitops-release-info-0:1.12.1-4.el9.noarch",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.aarch64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.src",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-0:1.12.1-4.el9.x86_64",
"9Base-GitOps-1.12:openshift-gitops-argocd-cli-redistributable-0:1.12.1-4.el9.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argo-cd: uncontrolled memory allocation vulnerability"
}
]
}
WID-SEC-W-2024-0812
Vulnerability from csaf_certbund - Published: 2024-04-08 22:00 - Updated: 2024-04-10 22:00Summary
Red Hat OpenShift: Mehrere Schwachstellen
Severity
Mittel
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Red Hat OpenShift ist eine "Platform as a Service" (PaaS) Lösung zur Bereitstellung von Applikationen in der Cloud.
Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat OpenShift ausnutzen, um einen Denial of Service Angriff durchzuführen oder um Sicherheitsmaßnahmen zu umgehen.
Betroffene Betriebssysteme: - Linux
In Red Hat OpenShift existieren mehrere Schwachstellen. Diese sind auf Fehler in der Funktion "expireOldFailedAttempts" sowie einem out-of-Memory Error zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen.
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— |
In Red Hat OpenShift existieren mehrere Schwachstellen. Diese sind auf Fehler in der Funktion "expireOldFailedAttempts" sowie einem out-of-Memory Error zurückzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuführen.
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— |
In Red Hat OpenShift existieren mehrere Schwachstellen. Diese bestehen in der Komponente ArgoCD und sind auf Fehler in der Eingabevalidierung sowie ein unzureichender Brute-Force-Schutz zurückzuführen. Ein entfernter, authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— |
In Red Hat OpenShift existieren mehrere Schwachstellen. Diese bestehen in der Komponente ArgoCD und sind auf Fehler in der Eingabevalidierung sowie ein unzureichender Brute-Force-Schutz zurückzuführen. Ein entfernter, authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— |
In Red Hat OpenShift existieren mehrere Schwachstellen. Diese bestehen in der Komponente ArgoCD und sind auf Fehler in der Eingabevalidierung sowie ein unzureichender Brute-Force-Schutz zurückzuführen. Ein entfernter, authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsvorkehrungen zu umgehen.
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Enterprise Linux
Red Hat
|
cpe:/o:redhat:enterprise_linux:-
|
— |
References
6 references
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat OpenShift ist eine \"Platform as a Service\" (PaaS) L\u00f6sung zur Bereitstellung von Applikationen in der Cloud.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Red Hat OpenShift ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren oder um Sicherheitsma\u00dfnahmen zu umgehen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2024-0812 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0812.json"
},
{
"category": "self",
"summary": "WID-SEC-2024-0812 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0812"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2024-04-08",
"url": "https://access.redhat.com/errata/RHSA-2024:1697"
},
{
"category": "external",
"summary": "RedHat Security Advisory vom 2024-04-08",
"url": "https://access.redhat.com/errata/RHSA-2024:1700"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:1753 vom 2024-04-10",
"url": "https://access.redhat.com/errata/RHSA-2024:1753"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2024:1752 vom 2024-04-10",
"url": "https://access.redhat.com/errata/RHSA-2024:1752"
}
],
"source_lang": "en-US",
"title": "Red Hat OpenShift: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2024-04-10T22:00:00.000+00:00",
"generator": {
"date": "2024-08-15T18:07:24.106+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.5"
}
},
"id": "WID-SEC-W-2024-0812",
"initial_release_date": "2024-04-08T22:00:00.000+00:00",
"revision_history": [
{
"date": "2024-04-08T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2024-04-10T22:00:00.000+00:00",
"number": "2",
"summary": "Neue Updates von Red Hat aufgenommen"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003cv1.11.3",
"product": {
"name": "Red Hat OpenShift \u003cv1.11.3",
"product_id": "T033955"
}
},
{
"category": "product_version_range",
"name": "\u003cv1.10.4",
"product": {
"name": "Red Hat OpenShift \u003cv1.10.4",
"product_id": "T033956"
}
}
],
"category": "product_name",
"name": "OpenShift"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-21661",
"notes": [
{
"category": "description",
"text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Diese sind auf Fehler in der Funktion \"expireOldFailedAttempts\" sowie einem out-of-Memory Error zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren."
}
],
"product_status": {
"known_affected": [
"67646"
]
},
"release_date": "2024-04-08T22:00:00.000+00:00",
"title": "CVE-2024-21661"
},
{
"cve": "CVE-2024-29893",
"notes": [
{
"category": "description",
"text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Diese sind auf Fehler in der Funktion \"expireOldFailedAttempts\" sowie einem out-of-Memory Error zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service Zustand herbeizuf\u00fchren."
}
],
"product_status": {
"known_affected": [
"67646"
]
},
"release_date": "2024-04-08T22:00:00.000+00:00",
"title": "CVE-2024-29893"
},
{
"cve": "CVE-2023-50726",
"notes": [
{
"category": "description",
"text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Diese bestehen in der Komponente ArgoCD und sind auf Fehler in der Eingabevalidierung sowie ein unzureichender Brute-Force-Schutz zur\u00fcckzuf\u00fchren. Ein entfernter, authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"67646"
]
},
"release_date": "2024-04-08T22:00:00.000+00:00",
"title": "CVE-2023-50726"
},
{
"cve": "CVE-2024-21652",
"notes": [
{
"category": "description",
"text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Diese bestehen in der Komponente ArgoCD und sind auf Fehler in der Eingabevalidierung sowie ein unzureichender Brute-Force-Schutz zur\u00fcckzuf\u00fchren. Ein entfernter, authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"67646"
]
},
"release_date": "2024-04-08T22:00:00.000+00:00",
"title": "CVE-2024-21652"
},
{
"cve": "CVE-2024-21662",
"notes": [
{
"category": "description",
"text": "In Red Hat OpenShift existieren mehrere Schwachstellen. Diese bestehen in der Komponente ArgoCD und sind auf Fehler in der Eingabevalidierung sowie ein unzureichender Brute-Force-Schutz zur\u00fcckzuf\u00fchren. Ein entfernter, authentisierter Angreifer kann diese Schwachstellen ausnutzen, um Sicherheitsvorkehrungen zu umgehen."
}
],
"product_status": {
"known_affected": [
"67646"
]
},
"release_date": "2024-04-08T22:00:00.000+00:00",
"title": "CVE-2024-21662"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…