Action not permitted
Modal body text goes here.
cve-2022-29165
Vulnerability from cvelistv5
Published
2022-05-20 14:15
Modified
2024-08-03 06:17
Severity
Summary
Argo CD will blindly trust JWT claims if anonymous access is enabled
References
| Source | URL | Tags |
|---|---|---|
| security-advisories@github.com | https://github.com/argoproj/argo-cd/releases/tag/v2.1.15 | Release Notes, Third Party Advisory |
| security-advisories@github.com | https://github.com/argoproj/argo-cd/releases/tag/v2.2.9 | Release Notes, Third Party Advisory |
| security-advisories@github.com | https://github.com/argoproj/argo-cd/releases/tag/v2.3.4 | Release Notes, Third Party Advisory |
| security-advisories@github.com | https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj | Mitigation, Third Party Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:53.891Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.4.0, \u003c 2.1.15"
},
{
"status": "affected",
"version": "\u003e= 2.2.0, \u003c 2.2.9"
},
{
"status": "affected",
"version": "\u003e= 2.3.0, \u003c 2.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this. If anonymous access to the instance is enabled, an attacker can escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster. They may also exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. As a workaround, one may disable anonymous access, but upgrading to a patched version is preferable."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-20T14:15:11",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj"
}
],
"source": {
"advisory": "GHSA-r642-gv9p-2wjj",
"discovery": "UNKNOWN"
},
"title": "Argo CD will blindly trust JWT claims if anonymous access is enabled",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29165",
"STATE": "PUBLIC",
"TITLE": "Argo CD will blindly trust JWT claims if anonymous access is enabled"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "argo-cd",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.4.0, \u003c 2.1.15"
},
{
"version_value": "\u003e= 2.2.0, \u003c 2.2.9"
},
{
"version_value": "\u003e= 2.3.0, \u003c 2.3.4"
}
]
}
}
]
},
"vendor_name": "argoproj"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this. If anonymous access to the instance is enabled, an attacker can escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster. They may also exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. As a workaround, one may disable anonymous access, but upgrading to a patched version is preferable."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-290: Authentication Bypass by Spoofing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15",
"refsource": "MISC",
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15"
},
{
"name": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9",
"refsource": "MISC",
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9"
},
{
"name": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4",
"refsource": "MISC",
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4"
},
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj",
"refsource": "CONFIRM",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj"
}
]
},
"source": {
"advisory": "GHSA-r642-gv9p-2wjj",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29165",
"datePublished": "2022-05-20T14:15:11",
"dateReserved": "2022-04-13T00:00:00",
"dateUpdated": "2024-08-03T06:17:53.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-29165\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-05-20T15:15:10.210\",\"lastModified\":\"2024-08-07T15:43:51.540\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this. If anonymous access to the instance is enabled, an attacker can escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster. They may also exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. As a workaround, one may disable anonymous access, but upgrading to a patched version is preferable.\"},{\"lang\":\"es\",\"value\":\"Argo CD es una herramienta declarativa de entrega continua GitOps para Kubernetes. Se ha detectado una vulnerabilidad cr\u00edtica en Argo CD a partir de la versi\u00f3n 1.4.0 y versiones anteriores a 2.1.15, 2.2.9 y 2.3.4 que permitir\u00eda a usuarios no autenticados hacerse pasar por cualquier usuario o rol de Argo CD, incluido el usuario \\\"admin\\\", mediante el env\u00edo de un Token Web JSON (JWT) espec\u00edficamente dise\u00f1ado junto con la petici\u00f3n. Para que esta vulnerabilidad pueda ser explotada, el acceso an\u00f3nimo a la instancia de CD Argo debe estar habilitado. En una instalaci\u00f3n por defecto de Argo CD, el acceso an\u00f3nimo est\u00e1 deshabilitado. La vulnerabilidad puede ser explotada para hacerse pasar por cualquier usuario o rol, incluyendo la cuenta \\\"admin\\\" incorporada, independientemente de si est\u00e1 habilitada o deshabilitada. Adem\u00e1s, el atacante no necesita una cuenta en la instancia de CD Argo para poder explotar esto. Si el acceso an\u00f3nimo a la instancia est\u00e1 habilitado, un atacante puede escalar sus privilegios, permiti\u00e9ndole alcanzar los mismos privilegios en el cluster que la instancia de CD Argo, que es el administrador del cluster en una instalaci\u00f3n por defecto. Esto permitir\u00e1 al atacante crear, manipular y eliminar cualquier recurso en el cl\u00faster. Tambi\u00e9n pueden exfiltrar datos al desplegar cargas de trabajo maliciosas con privilegios elevados, eludiendo as\u00ed cualquier redacci\u00f3n de datos confidenciales que la API de CD de Argo pueda aplicar. Ha sido publicado un parche para esta vulnerabilidad en las versiones 2.3.4, 2.2.9 y 2.1.15 del CD Argo. Como mitigaci\u00f3n, puede deshabilitarse el acceso an\u00f3nimo, pero es preferible actualizar a una versi\u00f3n parcheada\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":10.0,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":3.9,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:C/I:C/A:C\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\",\"baseScore\":9.3},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":8.6,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-287\"},{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.4.0\",\"versionEndExcluding\":\"2.1.15\",\"matchCriteriaId\":\"1E2FF44B-FAFD-4B1E-9B15-357F5D1523BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.2.0\",\"versionEndExcluding\":\"2.2.9\",\"matchCriteriaId\":\"97EADC28-ADC0-4B9E-BBDB-E2EF244B4BD9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.3.0\",\"versionEndExcluding\":\"2.3.4\",\"matchCriteriaId\":\"21A2130E-E263-4B62-B75D-E0631020E8E0\"}]}]}],\"references\":[{\"url\":\"https://github.com/argoproj/argo-cd/releases/tag/v2.1.15\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/argoproj/argo-cd/releases/tag/v2.2.9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/argoproj/argo-cd/releases/tag/v2.3.4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]}]}}"
}
}
rhsa-2022_4692
Vulnerability from csaf_redhat
Published
2022-05-18 22:05
Modified
2024-09-16 08:06
Summary
Red Hat Security Advisory: Red Hat OpenShift GitOps security update
Notes
Topic
An update is now available for Red Hat OpenShift GitOps 1.4 in openshift-gitops-argocd container.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.
Security Fix(es):
* argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled (CVE-2022-29165)
* argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server (CVE-2022-24904)
* argocd: Login screen allows message spoofing if SSO is enabled (CVE-2022-24905)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat OpenShift GitOps 1.4 in openshift-gitops-argocd container.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.\n\nSecurity Fix(es):\n\n* argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled (CVE-2022-29165)\n\n* argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server (CVE-2022-24904)\n\n* argocd: Login screen allows message spoofing if SSO is enabled (CVE-2022-24905)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:4692",
"url": "https://access.redhat.com/errata/RHSA-2022:4692"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2081686",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081686"
},
{
"category": "external",
"summary": "2081689",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081689"
},
{
"category": "external",
"summary": "2081691",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081691"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2022/rhsa-2022_4692.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update",
"tracking": {
"current_release_date": "2024-09-16T08:06:00+00:00",
"generator": {
"date": "2024-09-16T08:06:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHSA-2022:4692",
"initial_release_date": "2022-05-18T22:05:25+00:00",
"revision_history": [
{
"date": "2022-05-18T22:05:25+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-05-18T22:05:25+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-16T08:06:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift GitOps 1.4",
"product": {
"name": "Red Hat OpenShift GitOps 1.4",
"product_id": "8Base-GitOps-1.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_gitops:1.4::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift GitOps"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/applicationset-rhel8@sha256:e890bd2bbd025a368c7dd0625612ced98d0e11b110b6381fdb0888dac2504728_amd64",
"product": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:e890bd2bbd025a368c7dd0625612ced98d0e11b110b6381fdb0888dac2504728_amd64",
"product_id": "openshift-gitops-1/applicationset-rhel8@sha256:e890bd2bbd025a368c7dd0625612ced98d0e11b110b6381fdb0888dac2504728_amd64",
"product_identification_helper": {
"purl": "pkg:oci/applicationset-rhel8@sha256:e890bd2bbd025a368c7dd0625612ced98d0e11b110b6381fdb0888dac2504728?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/applicationset-rhel8\u0026tag=v1.4.7-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:3f55b9686dfa194667db93cd044a71b2e2d52f73ac10f0f99d95197bb4e5f130_amd64",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:3f55b9686dfa194667db93cd044a71b2e2d52f73ac10f0f99d95197bb4e5f130_amd64",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:3f55b9686dfa194667db93cd044a71b2e2d52f73ac10f0f99d95197bb4e5f130_amd64",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:3f55b9686dfa194667db93cd044a71b2e2d52f73ac10f0f99d95197bb4e5f130?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.4.7-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:f99ceb45207658527db7e1cf2938a393d876b2431cdc583ea05a2f9cb305e071_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:f99ceb45207658527db7e1cf2938a393d876b2431cdc583ea05a2f9cb305e071_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:f99ceb45207658527db7e1cf2938a393d876b2431cdc583ea05a2f9cb305e071_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:f99ceb45207658527db7e1cf2938a393d876b2431cdc583ea05a2f9cb305e071?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.4.7-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:eb39bc1c6907584501efd99ef9a25faaf6737b7ef4377e5c35dc833d4ec93531_amd64",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:eb39bc1c6907584501efd99ef9a25faaf6737b7ef4377e5c35dc833d4ec93531_amd64",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:eb39bc1c6907584501efd99ef9a25faaf6737b7ef4377e5c35dc833d4ec93531_amd64",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:eb39bc1c6907584501efd99ef9a25faaf6737b7ef4377e5c35dc833d4ec93531?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.4.7-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:e371787eefe08695d130b0fd84c81c4bf966be6f1c82222e5c9ae0a8fa45428f_amd64",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:e371787eefe08695d130b0fd84c81c4bf966be6f1c82222e5c9ae0a8fa45428f_amd64",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:e371787eefe08695d130b0fd84c81c4bf966be6f1c82222e5c9ae0a8fa45428f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:e371787eefe08695d130b0fd84c81c4bf966be6f1c82222e5c9ae0a8fa45428f?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.4.7-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:09bb7f98f120c9ceb5cdfc8b6b86f1b290be9c841bf6aa67c91bb3b05367b5b2_amd64",
"product": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:09bb7f98f120c9ceb5cdfc8b6b86f1b290be9c841bf6aa67c91bb3b05367b5b2_amd64",
"product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:09bb7f98f120c9ceb5cdfc8b6b86f1b290be9c841bf6aa67c91bb3b05367b5b2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-operator-bundle@sha256:09bb7f98f120c9ceb5cdfc8b6b86f1b290be9c841bf6aa67c91bb3b05367b5b2?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.4.7-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e9b8ac8b2187fcd5c1533f7a8c7c12715bd2cfac7ceac5b750bc510f5bf57fd2_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e9b8ac8b2187fcd5c1533f7a8c7c12715bd2cfac7ceac5b750bc510f5bf57fd2_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:e9b8ac8b2187fcd5c1533f7a8c7c12715bd2cfac7ceac5b750bc510f5bf57fd2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:e9b8ac8b2187fcd5c1533f7a8c7c12715bd2cfac7ceac5b750bc510f5bf57fd2?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.4.7-2"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:e890bd2bbd025a368c7dd0625612ced98d0e11b110b6381fdb0888dac2504728_amd64 as a component of Red Hat OpenShift GitOps 1.4",
"product_id": "8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:e890bd2bbd025a368c7dd0625612ced98d0e11b110b6381fdb0888dac2504728_amd64"
},
"product_reference": "openshift-gitops-1/applicationset-rhel8@sha256:e890bd2bbd025a368c7dd0625612ced98d0e11b110b6381fdb0888dac2504728_amd64",
"relates_to_product_reference": "8Base-GitOps-1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:3f55b9686dfa194667db93cd044a71b2e2d52f73ac10f0f99d95197bb4e5f130_amd64 as a component of Red Hat OpenShift GitOps 1.4",
"product_id": "8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:3f55b9686dfa194667db93cd044a71b2e2d52f73ac10f0f99d95197bb4e5f130_amd64"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:3f55b9686dfa194667db93cd044a71b2e2d52f73ac10f0f99d95197bb4e5f130_amd64",
"relates_to_product_reference": "8Base-GitOps-1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:eb39bc1c6907584501efd99ef9a25faaf6737b7ef4377e5c35dc833d4ec93531_amd64 as a component of Red Hat OpenShift GitOps 1.4",
"product_id": "8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:eb39bc1c6907584501efd99ef9a25faaf6737b7ef4377e5c35dc833d4ec93531_amd64"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:eb39bc1c6907584501efd99ef9a25faaf6737b7ef4377e5c35dc833d4ec93531_amd64",
"relates_to_product_reference": "8Base-GitOps-1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:09bb7f98f120c9ceb5cdfc8b6b86f1b290be9c841bf6aa67c91bb3b05367b5b2_amd64 as a component of Red Hat OpenShift GitOps 1.4",
"product_id": "8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:09bb7f98f120c9ceb5cdfc8b6b86f1b290be9c841bf6aa67c91bb3b05367b5b2_amd64"
},
"product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:09bb7f98f120c9ceb5cdfc8b6b86f1b290be9c841bf6aa67c91bb3b05367b5b2_amd64",
"relates_to_product_reference": "8Base-GitOps-1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e9b8ac8b2187fcd5c1533f7a8c7c12715bd2cfac7ceac5b750bc510f5bf57fd2_amd64 as a component of Red Hat OpenShift GitOps 1.4",
"product_id": "8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:e9b8ac8b2187fcd5c1533f7a8c7c12715bd2cfac7ceac5b750bc510f5bf57fd2_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:e9b8ac8b2187fcd5c1533f7a8c7c12715bd2cfac7ceac5b750bc510f5bf57fd2_amd64",
"relates_to_product_reference": "8Base-GitOps-1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:f99ceb45207658527db7e1cf2938a393d876b2431cdc583ea05a2f9cb305e071_amd64 as a component of Red Hat OpenShift GitOps 1.4",
"product_id": "8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:f99ceb45207658527db7e1cf2938a393d876b2431cdc583ea05a2f9cb305e071_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:f99ceb45207658527db7e1cf2938a393d876b2431cdc583ea05a2f9cb305e071_amd64",
"relates_to_product_reference": "8Base-GitOps-1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:e371787eefe08695d130b0fd84c81c4bf966be6f1c82222e5c9ae0a8fa45428f_amd64 as a component of Red Hat OpenShift GitOps 1.4",
"product_id": "8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:e371787eefe08695d130b0fd84c81c4bf966be6f1c82222e5c9ae0a8fa45428f_amd64"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:e371787eefe08695d130b0fd84c81c4bf966be6f1c82222e5c9ae0a8fa45428f_amd64",
"relates_to_product_reference": "8Base-GitOps-1.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-24904",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-05-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2081691"
}
],
"notes": [
{
"category": "description",
"text": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD\u0027s repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. Sensitive files which could be leaked include manifest files from other Applications\u0027 source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. Users of versions 2.3.0 or above who do not have any Jsonnet/directory-type Applications may disable the Jsonnet/directory config management tool as a workaround.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:e890bd2bbd025a368c7dd0625612ced98d0e11b110b6381fdb0888dac2504728_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:3f55b9686dfa194667db93cd044a71b2e2d52f73ac10f0f99d95197bb4e5f130_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:eb39bc1c6907584501efd99ef9a25faaf6737b7ef4377e5c35dc833d4ec93531_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:09bb7f98f120c9ceb5cdfc8b6b86f1b290be9c841bf6aa67c91bb3b05367b5b2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:e9b8ac8b2187fcd5c1533f7a8c7c12715bd2cfac7ceac5b750bc510f5bf57fd2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:f99ceb45207658527db7e1cf2938a393d876b2431cdc583ea05a2f9cb305e071_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:e371787eefe08695d130b0fd84c81c4bf966be6f1c82222e5c9ae0a8fa45428f_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24904"
},
{
"category": "external",
"summary": "RHBZ#2081691",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081691"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24904",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24904"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24904",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24904"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h"
}
],
"release_date": "2022-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:e890bd2bbd025a368c7dd0625612ced98d0e11b110b6381fdb0888dac2504728_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:3f55b9686dfa194667db93cd044a71b2e2d52f73ac10f0f99d95197bb4e5f130_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:eb39bc1c6907584501efd99ef9a25faaf6737b7ef4377e5c35dc833d4ec93531_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:09bb7f98f120c9ceb5cdfc8b6b86f1b290be9c841bf6aa67c91bb3b05367b5b2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:e9b8ac8b2187fcd5c1533f7a8c7c12715bd2cfac7ceac5b750bc510f5bf57fd2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:f99ceb45207658527db7e1cf2938a393d876b2431cdc583ea05a2f9cb305e071_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:e371787eefe08695d130b0fd84c81c4bf966be6f1c82222e5c9ae0a8fa45428f_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4692"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:e890bd2bbd025a368c7dd0625612ced98d0e11b110b6381fdb0888dac2504728_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:3f55b9686dfa194667db93cd044a71b2e2d52f73ac10f0f99d95197bb4e5f130_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:eb39bc1c6907584501efd99ef9a25faaf6737b7ef4377e5c35dc833d4ec93531_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:09bb7f98f120c9ceb5cdfc8b6b86f1b290be9c841bf6aa67c91bb3b05367b5b2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:e9b8ac8b2187fcd5c1533f7a8c7c12715bd2cfac7ceac5b750bc510f5bf57fd2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:f99ceb45207658527db7e1cf2938a393d876b2431cdc583ea05a2f9cb305e071_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:e371787eefe08695d130b0fd84c81c4bf966be6f1c82222e5c9ae0a8fa45428f_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server"
},
{
"cve": "CVE-2022-24905",
"cwe": {
"id": "CWE-290",
"name": "Authentication Bypass by Spoofing"
},
"discovery_date": "2022-05-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2081689"
}
],
"notes": [
{
"category": "description",
"text": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed. As far as the research of the Argo CD team concluded, it is not possible to specify any active content (e.g. Javascript) or other HTML fragments (e.g. clickable links) in the spoofed message. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. There are currently no known workarounds.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: Login screen allows message spoofing if SSO is enabled",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:e890bd2bbd025a368c7dd0625612ced98d0e11b110b6381fdb0888dac2504728_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:3f55b9686dfa194667db93cd044a71b2e2d52f73ac10f0f99d95197bb4e5f130_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:eb39bc1c6907584501efd99ef9a25faaf6737b7ef4377e5c35dc833d4ec93531_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:09bb7f98f120c9ceb5cdfc8b6b86f1b290be9c841bf6aa67c91bb3b05367b5b2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:e9b8ac8b2187fcd5c1533f7a8c7c12715bd2cfac7ceac5b750bc510f5bf57fd2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:f99ceb45207658527db7e1cf2938a393d876b2431cdc583ea05a2f9cb305e071_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:e371787eefe08695d130b0fd84c81c4bf966be6f1c82222e5c9ae0a8fa45428f_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24905"
},
{
"category": "external",
"summary": "RHBZ#2081689",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081689"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24905",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24905"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24905",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24905"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j"
}
],
"release_date": "2022-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:e890bd2bbd025a368c7dd0625612ced98d0e11b110b6381fdb0888dac2504728_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:3f55b9686dfa194667db93cd044a71b2e2d52f73ac10f0f99d95197bb4e5f130_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:eb39bc1c6907584501efd99ef9a25faaf6737b7ef4377e5c35dc833d4ec93531_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:09bb7f98f120c9ceb5cdfc8b6b86f1b290be9c841bf6aa67c91bb3b05367b5b2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:e9b8ac8b2187fcd5c1533f7a8c7c12715bd2cfac7ceac5b750bc510f5bf57fd2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:f99ceb45207658527db7e1cf2938a393d876b2431cdc583ea05a2f9cb305e071_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:e371787eefe08695d130b0fd84c81c4bf966be6f1c82222e5c9ae0a8fa45428f_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4692"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:e890bd2bbd025a368c7dd0625612ced98d0e11b110b6381fdb0888dac2504728_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:3f55b9686dfa194667db93cd044a71b2e2d52f73ac10f0f99d95197bb4e5f130_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:eb39bc1c6907584501efd99ef9a25faaf6737b7ef4377e5c35dc833d4ec93531_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:09bb7f98f120c9ceb5cdfc8b6b86f1b290be9c841bf6aa67c91bb3b05367b5b2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:e9b8ac8b2187fcd5c1533f7a8c7c12715bd2cfac7ceac5b750bc510f5bf57fd2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:f99ceb45207658527db7e1cf2938a393d876b2431cdc583ea05a2f9cb305e071_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:e371787eefe08695d130b0fd84c81c4bf966be6f1c82222e5c9ae0a8fa45428f_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argocd: Login screen allows message spoofing if SSO is enabled"
},
{
"cve": "CVE-2022-29165",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2022-05-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2081686"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the ArgoCD component of Red Hat GitOps, where an unauthenticated attacker can craft a malicious JWT token while ArgoCD\u0027s anonymous access is enabled and gains full access to the ArgoCD instance. This flaw allows the attacker to impersonate any ArgoCD user or role, fully compromising the targeted cluster\u0027s confidentiality, integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The anonymous mode is by default disabled in the ArgoCD instance installed by the Red Hat GitOps operator.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:e890bd2bbd025a368c7dd0625612ced98d0e11b110b6381fdb0888dac2504728_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:3f55b9686dfa194667db93cd044a71b2e2d52f73ac10f0f99d95197bb4e5f130_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:eb39bc1c6907584501efd99ef9a25faaf6737b7ef4377e5c35dc833d4ec93531_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:09bb7f98f120c9ceb5cdfc8b6b86f1b290be9c841bf6aa67c91bb3b05367b5b2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:e9b8ac8b2187fcd5c1533f7a8c7c12715bd2cfac7ceac5b750bc510f5bf57fd2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:f99ceb45207658527db7e1cf2938a393d876b2431cdc583ea05a2f9cb305e071_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:e371787eefe08695d130b0fd84c81c4bf966be6f1c82222e5c9ae0a8fa45428f_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-29165"
},
{
"category": "external",
"summary": "RHBZ#2081686",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081686"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-29165",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-29165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29165"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj"
}
],
"release_date": "2022-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:e890bd2bbd025a368c7dd0625612ced98d0e11b110b6381fdb0888dac2504728_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:3f55b9686dfa194667db93cd044a71b2e2d52f73ac10f0f99d95197bb4e5f130_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:eb39bc1c6907584501efd99ef9a25faaf6737b7ef4377e5c35dc833d4ec93531_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:09bb7f98f120c9ceb5cdfc8b6b86f1b290be9c841bf6aa67c91bb3b05367b5b2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:e9b8ac8b2187fcd5c1533f7a8c7c12715bd2cfac7ceac5b750bc510f5bf57fd2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:f99ceb45207658527db7e1cf2938a393d876b2431cdc583ea05a2f9cb305e071_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:e371787eefe08695d130b0fd84c81c4bf966be6f1c82222e5c9ae0a8fa45428f_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4692"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:e890bd2bbd025a368c7dd0625612ced98d0e11b110b6381fdb0888dac2504728_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:3f55b9686dfa194667db93cd044a71b2e2d52f73ac10f0f99d95197bb4e5f130_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:eb39bc1c6907584501efd99ef9a25faaf6737b7ef4377e5c35dc833d4ec93531_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:09bb7f98f120c9ceb5cdfc8b6b86f1b290be9c841bf6aa67c91bb3b05367b5b2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:e9b8ac8b2187fcd5c1533f7a8c7c12715bd2cfac7ceac5b750bc510f5bf57fd2_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:f99ceb45207658527db7e1cf2938a393d876b2431cdc583ea05a2f9cb305e071_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:e371787eefe08695d130b0fd84c81c4bf966be6f1c82222e5c9ae0a8fa45428f_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled"
}
]
}
rhsa-2022_4691
Vulnerability from csaf_redhat
Published
2022-05-18 22:05
Modified
2024-09-16 08:06
Summary
Red Hat Security Advisory: Red Hat OpenShift GitOps security update
Notes
Topic
An update is now available for Red Hat OpenShift GitOps 1.3 in openshift-gitops-argocd container.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.
Security Fix(es):
* argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled (CVE-2022-29165)
* argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server (CVE-2022-24904)
* argocd: Login screen allows message spoofing if SSO is enabled (CVE-2022-24905)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat OpenShift GitOps 1.3 in openshift-gitops-argocd container.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.\n\nSecurity Fix(es):\n\n* argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled (CVE-2022-29165)\n\n* argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server (CVE-2022-24904)\n\n* argocd: Login screen allows message spoofing if SSO is enabled (CVE-2022-24905)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:4691",
"url": "https://access.redhat.com/errata/RHSA-2022:4691"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2081686",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081686"
},
{
"category": "external",
"summary": "2081689",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081689"
},
{
"category": "external",
"summary": "2081691",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081691"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2022/rhsa-2022_4691.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update",
"tracking": {
"current_release_date": "2024-09-16T08:06:17+00:00",
"generator": {
"date": "2024-09-16T08:06:17+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHSA-2022:4691",
"initial_release_date": "2022-05-18T22:05:00+00:00",
"revision_history": [
{
"date": "2022-05-18T22:05:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-05-18T22:05:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-16T08:06:17+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift GitOps 1.3",
"product": {
"name": "Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_gitops:1.3::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift GitOps"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/applicationset-rhel8@sha256:8621918dacdc5d45ed47f8ecc87e178f5e98b550049d2bee2fd7bba0a918327d_amd64",
"product": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:8621918dacdc5d45ed47f8ecc87e178f5e98b550049d2bee2fd7bba0a918327d_amd64",
"product_id": "openshift-gitops-1/applicationset-rhel8@sha256:8621918dacdc5d45ed47f8ecc87e178f5e98b550049d2bee2fd7bba0a918327d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/applicationset-rhel8@sha256:8621918dacdc5d45ed47f8ecc87e178f5e98b550049d2bee2fd7bba0a918327d?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/applicationset-rhel8\u0026tag=v1.3.9-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:d38a00c5f807c275dd6830de16899cd51dc7d57b8dd63c0ec5183fa4d28d2a69_amd64",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:d38a00c5f807c275dd6830de16899cd51dc7d57b8dd63c0ec5183fa4d28d2a69_amd64",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:d38a00c5f807c275dd6830de16899cd51dc7d57b8dd63c0ec5183fa4d28d2a69_amd64",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:d38a00c5f807c275dd6830de16899cd51dc7d57b8dd63c0ec5183fa4d28d2a69?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.3.9-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:aff088cfffc96a75edacd496fccb2bb374130faf1d9d60acf967469eb60a54db_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:aff088cfffc96a75edacd496fccb2bb374130faf1d9d60acf967469eb60a54db_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:aff088cfffc96a75edacd496fccb2bb374130faf1d9d60acf967469eb60a54db_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:aff088cfffc96a75edacd496fccb2bb374130faf1d9d60acf967469eb60a54db?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.3.9-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:b58f08d8e8c03c9ed044795574e2645848eec6ec987233edcc74f99131cfc83d_amd64",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:b58f08d8e8c03c9ed044795574e2645848eec6ec987233edcc74f99131cfc83d_amd64",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:b58f08d8e8c03c9ed044795574e2645848eec6ec987233edcc74f99131cfc83d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:b58f08d8e8c03c9ed044795574e2645848eec6ec987233edcc74f99131cfc83d?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.3.9-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:ef21fbf7fef28e0552515305394ba1496626353476bdc1ad59282bd54f500e32_amd64",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:ef21fbf7fef28e0552515305394ba1496626353476bdc1ad59282bd54f500e32_amd64",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:ef21fbf7fef28e0552515305394ba1496626353476bdc1ad59282bd54f500e32_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:ef21fbf7fef28e0552515305394ba1496626353476bdc1ad59282bd54f500e32?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.3.9-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:cf03b9810510a741c56c55f085832de2f8dd324cb21fb27f5085dbbc2e350f4c_amd64",
"product": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:cf03b9810510a741c56c55f085832de2f8dd324cb21fb27f5085dbbc2e350f4c_amd64",
"product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:cf03b9810510a741c56c55f085832de2f8dd324cb21fb27f5085dbbc2e350f4c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-operator-bundle@sha256:cf03b9810510a741c56c55f085832de2f8dd324cb21fb27f5085dbbc2e350f4c?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.3.9-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:ea3f6698c273e1bd2c45d931c44a45f01c15ef1ebd24bc969b824019ff690aac_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:ea3f6698c273e1bd2c45d931c44a45f01c15ef1ebd24bc969b824019ff690aac_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:ea3f6698c273e1bd2c45d931c44a45f01c15ef1ebd24bc969b824019ff690aac_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:ea3f6698c273e1bd2c45d931c44a45f01c15ef1ebd24bc969b824019ff690aac?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.3.9-3"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:8621918dacdc5d45ed47f8ecc87e178f5e98b550049d2bee2fd7bba0a918327d_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:8621918dacdc5d45ed47f8ecc87e178f5e98b550049d2bee2fd7bba0a918327d_amd64"
},
"product_reference": "openshift-gitops-1/applicationset-rhel8@sha256:8621918dacdc5d45ed47f8ecc87e178f5e98b550049d2bee2fd7bba0a918327d_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:d38a00c5f807c275dd6830de16899cd51dc7d57b8dd63c0ec5183fa4d28d2a69_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:d38a00c5f807c275dd6830de16899cd51dc7d57b8dd63c0ec5183fa4d28d2a69_amd64"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:d38a00c5f807c275dd6830de16899cd51dc7d57b8dd63c0ec5183fa4d28d2a69_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:b58f08d8e8c03c9ed044795574e2645848eec6ec987233edcc74f99131cfc83d_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b58f08d8e8c03c9ed044795574e2645848eec6ec987233edcc74f99131cfc83d_amd64"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:b58f08d8e8c03c9ed044795574e2645848eec6ec987233edcc74f99131cfc83d_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:cf03b9810510a741c56c55f085832de2f8dd324cb21fb27f5085dbbc2e350f4c_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:cf03b9810510a741c56c55f085832de2f8dd324cb21fb27f5085dbbc2e350f4c_amd64"
},
"product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:cf03b9810510a741c56c55f085832de2f8dd324cb21fb27f5085dbbc2e350f4c_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:ea3f6698c273e1bd2c45d931c44a45f01c15ef1ebd24bc969b824019ff690aac_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ea3f6698c273e1bd2c45d931c44a45f01c15ef1ebd24bc969b824019ff690aac_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:ea3f6698c273e1bd2c45d931c44a45f01c15ef1ebd24bc969b824019ff690aac_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:aff088cfffc96a75edacd496fccb2bb374130faf1d9d60acf967469eb60a54db_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:aff088cfffc96a75edacd496fccb2bb374130faf1d9d60acf967469eb60a54db_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:aff088cfffc96a75edacd496fccb2bb374130faf1d9d60acf967469eb60a54db_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:ef21fbf7fef28e0552515305394ba1496626353476bdc1ad59282bd54f500e32_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:ef21fbf7fef28e0552515305394ba1496626353476bdc1ad59282bd54f500e32_amd64"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:ef21fbf7fef28e0552515305394ba1496626353476bdc1ad59282bd54f500e32_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-24904",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-05-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2081691"
}
],
"notes": [
{
"category": "description",
"text": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD\u0027s repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. Sensitive files which could be leaked include manifest files from other Applications\u0027 source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. Users of versions 2.3.0 or above who do not have any Jsonnet/directory-type Applications may disable the Jsonnet/directory config management tool as a workaround.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:8621918dacdc5d45ed47f8ecc87e178f5e98b550049d2bee2fd7bba0a918327d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:d38a00c5f807c275dd6830de16899cd51dc7d57b8dd63c0ec5183fa4d28d2a69_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b58f08d8e8c03c9ed044795574e2645848eec6ec987233edcc74f99131cfc83d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:cf03b9810510a741c56c55f085832de2f8dd324cb21fb27f5085dbbc2e350f4c_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ea3f6698c273e1bd2c45d931c44a45f01c15ef1ebd24bc969b824019ff690aac_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:aff088cfffc96a75edacd496fccb2bb374130faf1d9d60acf967469eb60a54db_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:ef21fbf7fef28e0552515305394ba1496626353476bdc1ad59282bd54f500e32_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24904"
},
{
"category": "external",
"summary": "RHBZ#2081691",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081691"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24904",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24904"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24904",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24904"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h"
}
],
"release_date": "2022-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:8621918dacdc5d45ed47f8ecc87e178f5e98b550049d2bee2fd7bba0a918327d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:d38a00c5f807c275dd6830de16899cd51dc7d57b8dd63c0ec5183fa4d28d2a69_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b58f08d8e8c03c9ed044795574e2645848eec6ec987233edcc74f99131cfc83d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:cf03b9810510a741c56c55f085832de2f8dd324cb21fb27f5085dbbc2e350f4c_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ea3f6698c273e1bd2c45d931c44a45f01c15ef1ebd24bc969b824019ff690aac_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:aff088cfffc96a75edacd496fccb2bb374130faf1d9d60acf967469eb60a54db_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:ef21fbf7fef28e0552515305394ba1496626353476bdc1ad59282bd54f500e32_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4691"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:8621918dacdc5d45ed47f8ecc87e178f5e98b550049d2bee2fd7bba0a918327d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:d38a00c5f807c275dd6830de16899cd51dc7d57b8dd63c0ec5183fa4d28d2a69_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b58f08d8e8c03c9ed044795574e2645848eec6ec987233edcc74f99131cfc83d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:cf03b9810510a741c56c55f085832de2f8dd324cb21fb27f5085dbbc2e350f4c_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ea3f6698c273e1bd2c45d931c44a45f01c15ef1ebd24bc969b824019ff690aac_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:aff088cfffc96a75edacd496fccb2bb374130faf1d9d60acf967469eb60a54db_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:ef21fbf7fef28e0552515305394ba1496626353476bdc1ad59282bd54f500e32_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server"
},
{
"cve": "CVE-2022-24905",
"cwe": {
"id": "CWE-290",
"name": "Authentication Bypass by Spoofing"
},
"discovery_date": "2022-05-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2081689"
}
],
"notes": [
{
"category": "description",
"text": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed. As far as the research of the Argo CD team concluded, it is not possible to specify any active content (e.g. Javascript) or other HTML fragments (e.g. clickable links) in the spoofed message. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. There are currently no known workarounds.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: Login screen allows message spoofing if SSO is enabled",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:8621918dacdc5d45ed47f8ecc87e178f5e98b550049d2bee2fd7bba0a918327d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:d38a00c5f807c275dd6830de16899cd51dc7d57b8dd63c0ec5183fa4d28d2a69_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b58f08d8e8c03c9ed044795574e2645848eec6ec987233edcc74f99131cfc83d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:cf03b9810510a741c56c55f085832de2f8dd324cb21fb27f5085dbbc2e350f4c_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ea3f6698c273e1bd2c45d931c44a45f01c15ef1ebd24bc969b824019ff690aac_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:aff088cfffc96a75edacd496fccb2bb374130faf1d9d60acf967469eb60a54db_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:ef21fbf7fef28e0552515305394ba1496626353476bdc1ad59282bd54f500e32_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24905"
},
{
"category": "external",
"summary": "RHBZ#2081689",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081689"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24905",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24905"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24905",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24905"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j"
}
],
"release_date": "2022-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:8621918dacdc5d45ed47f8ecc87e178f5e98b550049d2bee2fd7bba0a918327d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:d38a00c5f807c275dd6830de16899cd51dc7d57b8dd63c0ec5183fa4d28d2a69_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b58f08d8e8c03c9ed044795574e2645848eec6ec987233edcc74f99131cfc83d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:cf03b9810510a741c56c55f085832de2f8dd324cb21fb27f5085dbbc2e350f4c_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ea3f6698c273e1bd2c45d931c44a45f01c15ef1ebd24bc969b824019ff690aac_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:aff088cfffc96a75edacd496fccb2bb374130faf1d9d60acf967469eb60a54db_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:ef21fbf7fef28e0552515305394ba1496626353476bdc1ad59282bd54f500e32_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4691"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:8621918dacdc5d45ed47f8ecc87e178f5e98b550049d2bee2fd7bba0a918327d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:d38a00c5f807c275dd6830de16899cd51dc7d57b8dd63c0ec5183fa4d28d2a69_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b58f08d8e8c03c9ed044795574e2645848eec6ec987233edcc74f99131cfc83d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:cf03b9810510a741c56c55f085832de2f8dd324cb21fb27f5085dbbc2e350f4c_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ea3f6698c273e1bd2c45d931c44a45f01c15ef1ebd24bc969b824019ff690aac_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:aff088cfffc96a75edacd496fccb2bb374130faf1d9d60acf967469eb60a54db_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:ef21fbf7fef28e0552515305394ba1496626353476bdc1ad59282bd54f500e32_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argocd: Login screen allows message spoofing if SSO is enabled"
},
{
"cve": "CVE-2022-29165",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2022-05-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2081686"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the ArgoCD component of Red Hat GitOps, where an unauthenticated attacker can craft a malicious JWT token while ArgoCD\u0027s anonymous access is enabled and gains full access to the ArgoCD instance. This flaw allows the attacker to impersonate any ArgoCD user or role, fully compromising the targeted cluster\u0027s confidentiality, integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The anonymous mode is by default disabled in the ArgoCD instance installed by the Red Hat GitOps operator.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:8621918dacdc5d45ed47f8ecc87e178f5e98b550049d2bee2fd7bba0a918327d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:d38a00c5f807c275dd6830de16899cd51dc7d57b8dd63c0ec5183fa4d28d2a69_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b58f08d8e8c03c9ed044795574e2645848eec6ec987233edcc74f99131cfc83d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:cf03b9810510a741c56c55f085832de2f8dd324cb21fb27f5085dbbc2e350f4c_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ea3f6698c273e1bd2c45d931c44a45f01c15ef1ebd24bc969b824019ff690aac_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:aff088cfffc96a75edacd496fccb2bb374130faf1d9d60acf967469eb60a54db_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:ef21fbf7fef28e0552515305394ba1496626353476bdc1ad59282bd54f500e32_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-29165"
},
{
"category": "external",
"summary": "RHBZ#2081686",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081686"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-29165",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-29165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29165"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj"
}
],
"release_date": "2022-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:8621918dacdc5d45ed47f8ecc87e178f5e98b550049d2bee2fd7bba0a918327d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:d38a00c5f807c275dd6830de16899cd51dc7d57b8dd63c0ec5183fa4d28d2a69_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b58f08d8e8c03c9ed044795574e2645848eec6ec987233edcc74f99131cfc83d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:cf03b9810510a741c56c55f085832de2f8dd324cb21fb27f5085dbbc2e350f4c_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ea3f6698c273e1bd2c45d931c44a45f01c15ef1ebd24bc969b824019ff690aac_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:aff088cfffc96a75edacd496fccb2bb374130faf1d9d60acf967469eb60a54db_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:ef21fbf7fef28e0552515305394ba1496626353476bdc1ad59282bd54f500e32_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4691"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:8621918dacdc5d45ed47f8ecc87e178f5e98b550049d2bee2fd7bba0a918327d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:d38a00c5f807c275dd6830de16899cd51dc7d57b8dd63c0ec5183fa4d28d2a69_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b58f08d8e8c03c9ed044795574e2645848eec6ec987233edcc74f99131cfc83d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:cf03b9810510a741c56c55f085832de2f8dd324cb21fb27f5085dbbc2e350f4c_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ea3f6698c273e1bd2c45d931c44a45f01c15ef1ebd24bc969b824019ff690aac_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:aff088cfffc96a75edacd496fccb2bb374130faf1d9d60acf967469eb60a54db_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:ef21fbf7fef28e0552515305394ba1496626353476bdc1ad59282bd54f500e32_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled"
}
]
}
rhsa-2022_4671
Vulnerability from csaf_redhat
Published
2022-05-18 19:43
Modified
2024-09-16 08:06
Summary
Red Hat Security Advisory: Red Hat OpenShift GitOps security update
Notes
Topic
An update is now available for Red Hat OpenShift GitOps 1.3 in openshift-gitops-argocd container.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.
Security Fix(es):
* argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled (CVE-2022-29165)
* argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server (CVE-2022-24904)
* argocd: Login screen allows message spoofing if SSO is enabled (CVE-2022-24905)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat OpenShift GitOps 1.3 in openshift-gitops-argocd container.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.\n\nSecurity Fix(es):\n\n* argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled (CVE-2022-29165)\n\n* argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server (CVE-2022-24904)\n\n* argocd: Login screen allows message spoofing if SSO is enabled (CVE-2022-24905)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:4671",
"url": "https://access.redhat.com/errata/RHSA-2022:4671"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2081686",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081686"
},
{
"category": "external",
"summary": "2081689",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081689"
},
{
"category": "external",
"summary": "2081691",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081691"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2022/rhsa-2022_4671.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update",
"tracking": {
"current_release_date": "2024-09-16T08:06:24+00:00",
"generator": {
"date": "2024-09-16T08:06:24+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHSA-2022:4671",
"initial_release_date": "2022-05-18T19:43:12+00:00",
"revision_history": [
{
"date": "2022-05-18T19:43:12+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-05-18T19:43:12+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-16T08:06:24+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift GitOps 1.3",
"product": {
"name": "Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_gitops:1.3::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift GitOps"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/applicationset-rhel8@sha256:6def698fb89067d2259a34bced9080d3c7b509b711fda795d73f427f9068c1ba_amd64",
"product": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:6def698fb89067d2259a34bced9080d3c7b509b711fda795d73f427f9068c1ba_amd64",
"product_id": "openshift-gitops-1/applicationset-rhel8@sha256:6def698fb89067d2259a34bced9080d3c7b509b711fda795d73f427f9068c1ba_amd64",
"product_identification_helper": {
"purl": "pkg:oci/applicationset-rhel8@sha256:6def698fb89067d2259a34bced9080d3c7b509b711fda795d73f427f9068c1ba?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/applicationset-rhel8\u0026tag=v1.3.10-1"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:2c780222e3aeaffb466f04f5948d474921e9f2a3cc217c4dcc7f83ae268b55a1_amd64",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:2c780222e3aeaffb466f04f5948d474921e9f2a3cc217c4dcc7f83ae268b55a1_amd64",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:2c780222e3aeaffb466f04f5948d474921e9f2a3cc217c4dcc7f83ae268b55a1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:2c780222e3aeaffb466f04f5948d474921e9f2a3cc217c4dcc7f83ae268b55a1?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.3.10-1"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:97871502a00aee8f673601da76111cc39a13088517d6e1d07882f0c4cc249ffc_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:97871502a00aee8f673601da76111cc39a13088517d6e1d07882f0c4cc249ffc_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:97871502a00aee8f673601da76111cc39a13088517d6e1d07882f0c4cc249ffc_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:97871502a00aee8f673601da76111cc39a13088517d6e1d07882f0c4cc249ffc?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.3.10-1"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:54bb64a4d6e3044d99f534cce1fbbb2053f8880139a98fddb9e405a71c067359_amd64",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:54bb64a4d6e3044d99f534cce1fbbb2053f8880139a98fddb9e405a71c067359_amd64",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:54bb64a4d6e3044d99f534cce1fbbb2053f8880139a98fddb9e405a71c067359_amd64",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:54bb64a4d6e3044d99f534cce1fbbb2053f8880139a98fddb9e405a71c067359?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.3.10-1"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:c1aa038cbdef8e2eadb2fee362249aa85e5678a4367f9bdd4320de63e27ef705_amd64",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:c1aa038cbdef8e2eadb2fee362249aa85e5678a4367f9bdd4320de63e27ef705_amd64",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:c1aa038cbdef8e2eadb2fee362249aa85e5678a4367f9bdd4320de63e27ef705_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:c1aa038cbdef8e2eadb2fee362249aa85e5678a4367f9bdd4320de63e27ef705?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.3.10-1"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:6cf4377fd2efa8ae4965dae8e6cc7cd7017fd739e43618d6daea61244fe40d47_amd64",
"product": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:6cf4377fd2efa8ae4965dae8e6cc7cd7017fd739e43618d6daea61244fe40d47_amd64",
"product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:6cf4377fd2efa8ae4965dae8e6cc7cd7017fd739e43618d6daea61244fe40d47_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-operator-bundle@sha256:6cf4377fd2efa8ae4965dae8e6cc7cd7017fd739e43618d6daea61244fe40d47?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.3.10-1"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:95e2be5c2578571d6461ec691466c95f5928fc25e97f7161b98b2a9496a22b5b_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:95e2be5c2578571d6461ec691466c95f5928fc25e97f7161b98b2a9496a22b5b_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:95e2be5c2578571d6461ec691466c95f5928fc25e97f7161b98b2a9496a22b5b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:95e2be5c2578571d6461ec691466c95f5928fc25e97f7161b98b2a9496a22b5b?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.3.10-1"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:6def698fb89067d2259a34bced9080d3c7b509b711fda795d73f427f9068c1ba_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6def698fb89067d2259a34bced9080d3c7b509b711fda795d73f427f9068c1ba_amd64"
},
"product_reference": "openshift-gitops-1/applicationset-rhel8@sha256:6def698fb89067d2259a34bced9080d3c7b509b711fda795d73f427f9068c1ba_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:2c780222e3aeaffb466f04f5948d474921e9f2a3cc217c4dcc7f83ae268b55a1_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:2c780222e3aeaffb466f04f5948d474921e9f2a3cc217c4dcc7f83ae268b55a1_amd64"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:2c780222e3aeaffb466f04f5948d474921e9f2a3cc217c4dcc7f83ae268b55a1_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:54bb64a4d6e3044d99f534cce1fbbb2053f8880139a98fddb9e405a71c067359_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:54bb64a4d6e3044d99f534cce1fbbb2053f8880139a98fddb9e405a71c067359_amd64"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:54bb64a4d6e3044d99f534cce1fbbb2053f8880139a98fddb9e405a71c067359_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:6cf4377fd2efa8ae4965dae8e6cc7cd7017fd739e43618d6daea61244fe40d47_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:6cf4377fd2efa8ae4965dae8e6cc7cd7017fd739e43618d6daea61244fe40d47_amd64"
},
"product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:6cf4377fd2efa8ae4965dae8e6cc7cd7017fd739e43618d6daea61244fe40d47_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:95e2be5c2578571d6461ec691466c95f5928fc25e97f7161b98b2a9496a22b5b_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:95e2be5c2578571d6461ec691466c95f5928fc25e97f7161b98b2a9496a22b5b_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:95e2be5c2578571d6461ec691466c95f5928fc25e97f7161b98b2a9496a22b5b_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:97871502a00aee8f673601da76111cc39a13088517d6e1d07882f0c4cc249ffc_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:97871502a00aee8f673601da76111cc39a13088517d6e1d07882f0c4cc249ffc_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:97871502a00aee8f673601da76111cc39a13088517d6e1d07882f0c4cc249ffc_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:c1aa038cbdef8e2eadb2fee362249aa85e5678a4367f9bdd4320de63e27ef705_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:c1aa038cbdef8e2eadb2fee362249aa85e5678a4367f9bdd4320de63e27ef705_amd64"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:c1aa038cbdef8e2eadb2fee362249aa85e5678a4367f9bdd4320de63e27ef705_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-24904",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-05-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2081691"
}
],
"notes": [
{
"category": "description",
"text": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD\u0027s repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. Sensitive files which could be leaked include manifest files from other Applications\u0027 source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. Users of versions 2.3.0 or above who do not have any Jsonnet/directory-type Applications may disable the Jsonnet/directory config management tool as a workaround.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6def698fb89067d2259a34bced9080d3c7b509b711fda795d73f427f9068c1ba_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:2c780222e3aeaffb466f04f5948d474921e9f2a3cc217c4dcc7f83ae268b55a1_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:54bb64a4d6e3044d99f534cce1fbbb2053f8880139a98fddb9e405a71c067359_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:6cf4377fd2efa8ae4965dae8e6cc7cd7017fd739e43618d6daea61244fe40d47_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:95e2be5c2578571d6461ec691466c95f5928fc25e97f7161b98b2a9496a22b5b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:97871502a00aee8f673601da76111cc39a13088517d6e1d07882f0c4cc249ffc_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:c1aa038cbdef8e2eadb2fee362249aa85e5678a4367f9bdd4320de63e27ef705_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24904"
},
{
"category": "external",
"summary": "RHBZ#2081691",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081691"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24904",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24904"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24904",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24904"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h"
}
],
"release_date": "2022-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6def698fb89067d2259a34bced9080d3c7b509b711fda795d73f427f9068c1ba_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:2c780222e3aeaffb466f04f5948d474921e9f2a3cc217c4dcc7f83ae268b55a1_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:54bb64a4d6e3044d99f534cce1fbbb2053f8880139a98fddb9e405a71c067359_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:6cf4377fd2efa8ae4965dae8e6cc7cd7017fd739e43618d6daea61244fe40d47_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:95e2be5c2578571d6461ec691466c95f5928fc25e97f7161b98b2a9496a22b5b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:97871502a00aee8f673601da76111cc39a13088517d6e1d07882f0c4cc249ffc_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:c1aa038cbdef8e2eadb2fee362249aa85e5678a4367f9bdd4320de63e27ef705_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4671"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6def698fb89067d2259a34bced9080d3c7b509b711fda795d73f427f9068c1ba_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:2c780222e3aeaffb466f04f5948d474921e9f2a3cc217c4dcc7f83ae268b55a1_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:54bb64a4d6e3044d99f534cce1fbbb2053f8880139a98fddb9e405a71c067359_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:6cf4377fd2efa8ae4965dae8e6cc7cd7017fd739e43618d6daea61244fe40d47_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:95e2be5c2578571d6461ec691466c95f5928fc25e97f7161b98b2a9496a22b5b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:97871502a00aee8f673601da76111cc39a13088517d6e1d07882f0c4cc249ffc_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:c1aa038cbdef8e2eadb2fee362249aa85e5678a4367f9bdd4320de63e27ef705_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server"
},
{
"cve": "CVE-2022-24905",
"cwe": {
"id": "CWE-290",
"name": "Authentication Bypass by Spoofing"
},
"discovery_date": "2022-05-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2081689"
}
],
"notes": [
{
"category": "description",
"text": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed. As far as the research of the Argo CD team concluded, it is not possible to specify any active content (e.g. Javascript) or other HTML fragments (e.g. clickable links) in the spoofed message. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. There are currently no known workarounds.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: Login screen allows message spoofing if SSO is enabled",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6def698fb89067d2259a34bced9080d3c7b509b711fda795d73f427f9068c1ba_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:2c780222e3aeaffb466f04f5948d474921e9f2a3cc217c4dcc7f83ae268b55a1_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:54bb64a4d6e3044d99f534cce1fbbb2053f8880139a98fddb9e405a71c067359_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:6cf4377fd2efa8ae4965dae8e6cc7cd7017fd739e43618d6daea61244fe40d47_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:95e2be5c2578571d6461ec691466c95f5928fc25e97f7161b98b2a9496a22b5b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:97871502a00aee8f673601da76111cc39a13088517d6e1d07882f0c4cc249ffc_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:c1aa038cbdef8e2eadb2fee362249aa85e5678a4367f9bdd4320de63e27ef705_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24905"
},
{
"category": "external",
"summary": "RHBZ#2081689",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081689"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24905",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24905"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24905",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24905"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j"
}
],
"release_date": "2022-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6def698fb89067d2259a34bced9080d3c7b509b711fda795d73f427f9068c1ba_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:2c780222e3aeaffb466f04f5948d474921e9f2a3cc217c4dcc7f83ae268b55a1_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:54bb64a4d6e3044d99f534cce1fbbb2053f8880139a98fddb9e405a71c067359_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:6cf4377fd2efa8ae4965dae8e6cc7cd7017fd739e43618d6daea61244fe40d47_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:95e2be5c2578571d6461ec691466c95f5928fc25e97f7161b98b2a9496a22b5b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:97871502a00aee8f673601da76111cc39a13088517d6e1d07882f0c4cc249ffc_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:c1aa038cbdef8e2eadb2fee362249aa85e5678a4367f9bdd4320de63e27ef705_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4671"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6def698fb89067d2259a34bced9080d3c7b509b711fda795d73f427f9068c1ba_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:2c780222e3aeaffb466f04f5948d474921e9f2a3cc217c4dcc7f83ae268b55a1_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:54bb64a4d6e3044d99f534cce1fbbb2053f8880139a98fddb9e405a71c067359_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:6cf4377fd2efa8ae4965dae8e6cc7cd7017fd739e43618d6daea61244fe40d47_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:95e2be5c2578571d6461ec691466c95f5928fc25e97f7161b98b2a9496a22b5b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:97871502a00aee8f673601da76111cc39a13088517d6e1d07882f0c4cc249ffc_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:c1aa038cbdef8e2eadb2fee362249aa85e5678a4367f9bdd4320de63e27ef705_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argocd: Login screen allows message spoofing if SSO is enabled"
},
{
"cve": "CVE-2022-29165",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2022-05-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2081686"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the ArgoCD component of Red Hat GitOps, where an unauthenticated attacker can craft a malicious JWT token while ArgoCD\u0027s anonymous access is enabled and gains full access to the ArgoCD instance. This flaw allows the attacker to impersonate any ArgoCD user or role, fully compromising the targeted cluster\u0027s confidentiality, integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The anonymous mode is by default disabled in the ArgoCD instance installed by the Red Hat GitOps operator.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6def698fb89067d2259a34bced9080d3c7b509b711fda795d73f427f9068c1ba_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:2c780222e3aeaffb466f04f5948d474921e9f2a3cc217c4dcc7f83ae268b55a1_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:54bb64a4d6e3044d99f534cce1fbbb2053f8880139a98fddb9e405a71c067359_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:6cf4377fd2efa8ae4965dae8e6cc7cd7017fd739e43618d6daea61244fe40d47_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:95e2be5c2578571d6461ec691466c95f5928fc25e97f7161b98b2a9496a22b5b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:97871502a00aee8f673601da76111cc39a13088517d6e1d07882f0c4cc249ffc_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:c1aa038cbdef8e2eadb2fee362249aa85e5678a4367f9bdd4320de63e27ef705_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-29165"
},
{
"category": "external",
"summary": "RHBZ#2081686",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081686"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-29165",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-29165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29165"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj"
}
],
"release_date": "2022-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6def698fb89067d2259a34bced9080d3c7b509b711fda795d73f427f9068c1ba_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:2c780222e3aeaffb466f04f5948d474921e9f2a3cc217c4dcc7f83ae268b55a1_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:54bb64a4d6e3044d99f534cce1fbbb2053f8880139a98fddb9e405a71c067359_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:6cf4377fd2efa8ae4965dae8e6cc7cd7017fd739e43618d6daea61244fe40d47_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:95e2be5c2578571d6461ec691466c95f5928fc25e97f7161b98b2a9496a22b5b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:97871502a00aee8f673601da76111cc39a13088517d6e1d07882f0c4cc249ffc_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:c1aa038cbdef8e2eadb2fee362249aa85e5678a4367f9bdd4320de63e27ef705_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4671"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6def698fb89067d2259a34bced9080d3c7b509b711fda795d73f427f9068c1ba_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:2c780222e3aeaffb466f04f5948d474921e9f2a3cc217c4dcc7f83ae268b55a1_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:54bb64a4d6e3044d99f534cce1fbbb2053f8880139a98fddb9e405a71c067359_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:6cf4377fd2efa8ae4965dae8e6cc7cd7017fd739e43618d6daea61244fe40d47_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:95e2be5c2578571d6461ec691466c95f5928fc25e97f7161b98b2a9496a22b5b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:97871502a00aee8f673601da76111cc39a13088517d6e1d07882f0c4cc249ffc_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:c1aa038cbdef8e2eadb2fee362249aa85e5678a4367f9bdd4320de63e27ef705_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled"
}
]
}
rhsa-2022_4690
Vulnerability from csaf_redhat
Published
2022-05-18 21:21
Modified
2024-09-16 08:06
Summary
Red Hat Security Advisory: Red Hat OpenShift GitOps security update
Notes
Topic
An update is now available for Red Hat OpenShift GitOps 1.5 in openshift-gitops-argocd container.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.
Security Fix(es):
* argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled (CVE-2022-29165)
* argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server (CVE-2022-24904)
* argocd: Login screen allows message spoofing if SSO is enabled (CVE-2022-24905)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat OpenShift GitOps 1.5 in openshift-gitops-argocd container.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.\n\nSecurity Fix(es):\n\n* argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled (CVE-2022-29165)\n\n* argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server (CVE-2022-24904)\n\n* argocd: Login screen allows message spoofing if SSO is enabled (CVE-2022-24905)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:4690",
"url": "https://access.redhat.com/errata/RHSA-2022:4690"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2081686",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081686"
},
{
"category": "external",
"summary": "2081689",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081689"
},
{
"category": "external",
"summary": "2081691",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081691"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2022/rhsa-2022_4690.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update",
"tracking": {
"current_release_date": "2024-09-16T08:06:08+00:00",
"generator": {
"date": "2024-09-16T08:06:08+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHSA-2022:4690",
"initial_release_date": "2022-05-18T21:21:52+00:00",
"revision_history": [
{
"date": "2022-05-18T21:21:52+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-05-18T21:21:52+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-16T08:06:08+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift GitOps 1.5",
"product": {
"name": "Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_gitops:1.5::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift GitOps"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/applicationset-rhel8@sha256:a82e54981e175c7ea5e615aef6659be0c8c2bb2042c4ca762f3551244c352a0d_amd64",
"product": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:a82e54981e175c7ea5e615aef6659be0c8c2bb2042c4ca762f3551244c352a0d_amd64",
"product_id": "openshift-gitops-1/applicationset-rhel8@sha256:a82e54981e175c7ea5e615aef6659be0c8c2bb2042c4ca762f3551244c352a0d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/applicationset-rhel8@sha256:a82e54981e175c7ea5e615aef6659be0c8c2bb2042c4ca762f3551244c352a0d?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/applicationset-rhel8\u0026tag=v1.5.1-4"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:87e4957bcecd23fc21fe44d00a6c40b7bdb62afd0c606ca5dfbd8defeeaad83a_amd64",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:87e4957bcecd23fc21fe44d00a6c40b7bdb62afd0c606ca5dfbd8defeeaad83a_amd64",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:87e4957bcecd23fc21fe44d00a6c40b7bdb62afd0c606ca5dfbd8defeeaad83a_amd64",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:87e4957bcecd23fc21fe44d00a6c40b7bdb62afd0c606ca5dfbd8defeeaad83a?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.5.1-4"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:969a1b2b159bdd09f44edb3edcaf7ce9928b223f823a4999404ae8f068b006aa_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:969a1b2b159bdd09f44edb3edcaf7ce9928b223f823a4999404ae8f068b006aa_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:969a1b2b159bdd09f44edb3edcaf7ce9928b223f823a4999404ae8f068b006aa_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:969a1b2b159bdd09f44edb3edcaf7ce9928b223f823a4999404ae8f068b006aa?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.5.1-4"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:6e1df31388b61351e0ecefe05085dcba23f1524f5c8bb59afd8a00d9039310d6_amd64",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:6e1df31388b61351e0ecefe05085dcba23f1524f5c8bb59afd8a00d9039310d6_amd64",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:6e1df31388b61351e0ecefe05085dcba23f1524f5c8bb59afd8a00d9039310d6_amd64",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:6e1df31388b61351e0ecefe05085dcba23f1524f5c8bb59afd8a00d9039310d6?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.5.1-4"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:df2f63afa7c824ef139fdc44c420f6c1cc1f0986df520ee3b3e4afd02882566e_amd64",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:df2f63afa7c824ef139fdc44c420f6c1cc1f0986df520ee3b3e4afd02882566e_amd64",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:df2f63afa7c824ef139fdc44c420f6c1cc1f0986df520ee3b3e4afd02882566e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:df2f63afa7c824ef139fdc44c420f6c1cc1f0986df520ee3b3e4afd02882566e?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.5.1-4"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:2420c7de9ade63c11b453730568a64772ca3ec1551b9b5e9ae8bfa2eef2b3cd9_amd64",
"product": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:2420c7de9ade63c11b453730568a64772ca3ec1551b9b5e9ae8bfa2eef2b3cd9_amd64",
"product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:2420c7de9ade63c11b453730568a64772ca3ec1551b9b5e9ae8bfa2eef2b3cd9_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-operator-bundle@sha256:2420c7de9ade63c11b453730568a64772ca3ec1551b9b5e9ae8bfa2eef2b3cd9?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.5.1-4"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e05a6d29b0822647709a521e47584222e5451c0e53940eacf05b7ac9732bae93_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e05a6d29b0822647709a521e47584222e5451c0e53940eacf05b7ac9732bae93_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:e05a6d29b0822647709a521e47584222e5451c0e53940eacf05b7ac9732bae93_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:e05a6d29b0822647709a521e47584222e5451c0e53940eacf05b7ac9732bae93?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.5.1-4"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:a82e54981e175c7ea5e615aef6659be0c8c2bb2042c4ca762f3551244c352a0d_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:a82e54981e175c7ea5e615aef6659be0c8c2bb2042c4ca762f3551244c352a0d_amd64"
},
"product_reference": "openshift-gitops-1/applicationset-rhel8@sha256:a82e54981e175c7ea5e615aef6659be0c8c2bb2042c4ca762f3551244c352a0d_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:87e4957bcecd23fc21fe44d00a6c40b7bdb62afd0c606ca5dfbd8defeeaad83a_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:87e4957bcecd23fc21fe44d00a6c40b7bdb62afd0c606ca5dfbd8defeeaad83a_amd64"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:87e4957bcecd23fc21fe44d00a6c40b7bdb62afd0c606ca5dfbd8defeeaad83a_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:6e1df31388b61351e0ecefe05085dcba23f1524f5c8bb59afd8a00d9039310d6_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:6e1df31388b61351e0ecefe05085dcba23f1524f5c8bb59afd8a00d9039310d6_amd64"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:6e1df31388b61351e0ecefe05085dcba23f1524f5c8bb59afd8a00d9039310d6_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:2420c7de9ade63c11b453730568a64772ca3ec1551b9b5e9ae8bfa2eef2b3cd9_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2420c7de9ade63c11b453730568a64772ca3ec1551b9b5e9ae8bfa2eef2b3cd9_amd64"
},
"product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:2420c7de9ade63c11b453730568a64772ca3ec1551b9b5e9ae8bfa2eef2b3cd9_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e05a6d29b0822647709a521e47584222e5451c0e53940eacf05b7ac9732bae93_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e05a6d29b0822647709a521e47584222e5451c0e53940eacf05b7ac9732bae93_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:e05a6d29b0822647709a521e47584222e5451c0e53940eacf05b7ac9732bae93_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:969a1b2b159bdd09f44edb3edcaf7ce9928b223f823a4999404ae8f068b006aa_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:969a1b2b159bdd09f44edb3edcaf7ce9928b223f823a4999404ae8f068b006aa_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:969a1b2b159bdd09f44edb3edcaf7ce9928b223f823a4999404ae8f068b006aa_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:df2f63afa7c824ef139fdc44c420f6c1cc1f0986df520ee3b3e4afd02882566e_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:df2f63afa7c824ef139fdc44c420f6c1cc1f0986df520ee3b3e4afd02882566e_amd64"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:df2f63afa7c824ef139fdc44c420f6c1cc1f0986df520ee3b3e4afd02882566e_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-24904",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2022-05-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2081691"
}
],
"notes": [
{
"category": "description",
"text": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD\u0027s repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. Sensitive files which could be leaked include manifest files from other Applications\u0027 source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. Users of versions 2.3.0 or above who do not have any Jsonnet/directory-type Applications may disable the Jsonnet/directory config management tool as a workaround.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:a82e54981e175c7ea5e615aef6659be0c8c2bb2042c4ca762f3551244c352a0d_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:87e4957bcecd23fc21fe44d00a6c40b7bdb62afd0c606ca5dfbd8defeeaad83a_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:6e1df31388b61351e0ecefe05085dcba23f1524f5c8bb59afd8a00d9039310d6_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2420c7de9ade63c11b453730568a64772ca3ec1551b9b5e9ae8bfa2eef2b3cd9_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e05a6d29b0822647709a521e47584222e5451c0e53940eacf05b7ac9732bae93_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:969a1b2b159bdd09f44edb3edcaf7ce9928b223f823a4999404ae8f068b006aa_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:df2f63afa7c824ef139fdc44c420f6c1cc1f0986df520ee3b3e4afd02882566e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24904"
},
{
"category": "external",
"summary": "RHBZ#2081691",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081691"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24904",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24904"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24904",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24904"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h"
}
],
"release_date": "2022-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:a82e54981e175c7ea5e615aef6659be0c8c2bb2042c4ca762f3551244c352a0d_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:87e4957bcecd23fc21fe44d00a6c40b7bdb62afd0c606ca5dfbd8defeeaad83a_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:6e1df31388b61351e0ecefe05085dcba23f1524f5c8bb59afd8a00d9039310d6_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2420c7de9ade63c11b453730568a64772ca3ec1551b9b5e9ae8bfa2eef2b3cd9_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e05a6d29b0822647709a521e47584222e5451c0e53940eacf05b7ac9732bae93_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:969a1b2b159bdd09f44edb3edcaf7ce9928b223f823a4999404ae8f068b006aa_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:df2f63afa7c824ef139fdc44c420f6c1cc1f0986df520ee3b3e4afd02882566e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4690"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:a82e54981e175c7ea5e615aef6659be0c8c2bb2042c4ca762f3551244c352a0d_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:87e4957bcecd23fc21fe44d00a6c40b7bdb62afd0c606ca5dfbd8defeeaad83a_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:6e1df31388b61351e0ecefe05085dcba23f1524f5c8bb59afd8a00d9039310d6_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2420c7de9ade63c11b453730568a64772ca3ec1551b9b5e9ae8bfa2eef2b3cd9_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e05a6d29b0822647709a521e47584222e5451c0e53940eacf05b7ac9732bae93_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:969a1b2b159bdd09f44edb3edcaf7ce9928b223f823a4999404ae8f068b006aa_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:df2f63afa7c824ef139fdc44c420f6c1cc1f0986df520ee3b3e4afd02882566e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argocd: Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server"
},
{
"cve": "CVE-2022-24905",
"cwe": {
"id": "CWE-290",
"name": "Authentication Bypass by Spoofing"
},
"discovery_date": "2022-05-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2081689"
}
],
"notes": [
{
"category": "description",
"text": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was found in Argo CD prior to versions 2.3.4, 2.2.9, and 2.1.15 that allows an attacker to spoof error messages on the login screen when single sign on (SSO) is enabled. In order to exploit this vulnerability, an attacker would have to trick the victim to visit a specially crafted URL which contains the message to be displayed. As far as the research of the Argo CD team concluded, it is not possible to specify any active content (e.g. Javascript) or other HTML fragments (e.g. clickable links) in the spoofed message. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. There are currently no known workarounds.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: Login screen allows message spoofing if SSO is enabled",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:a82e54981e175c7ea5e615aef6659be0c8c2bb2042c4ca762f3551244c352a0d_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:87e4957bcecd23fc21fe44d00a6c40b7bdb62afd0c606ca5dfbd8defeeaad83a_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:6e1df31388b61351e0ecefe05085dcba23f1524f5c8bb59afd8a00d9039310d6_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2420c7de9ade63c11b453730568a64772ca3ec1551b9b5e9ae8bfa2eef2b3cd9_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e05a6d29b0822647709a521e47584222e5451c0e53940eacf05b7ac9732bae93_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:969a1b2b159bdd09f44edb3edcaf7ce9928b223f823a4999404ae8f068b006aa_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:df2f63afa7c824ef139fdc44c420f6c1cc1f0986df520ee3b3e4afd02882566e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-24905"
},
{
"category": "external",
"summary": "RHBZ#2081689",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081689"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-24905",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-24905"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-24905",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24905"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-xmg8-99r8-jc2j"
}
],
"release_date": "2022-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:a82e54981e175c7ea5e615aef6659be0c8c2bb2042c4ca762f3551244c352a0d_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:87e4957bcecd23fc21fe44d00a6c40b7bdb62afd0c606ca5dfbd8defeeaad83a_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:6e1df31388b61351e0ecefe05085dcba23f1524f5c8bb59afd8a00d9039310d6_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2420c7de9ade63c11b453730568a64772ca3ec1551b9b5e9ae8bfa2eef2b3cd9_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e05a6d29b0822647709a521e47584222e5451c0e53940eacf05b7ac9732bae93_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:969a1b2b159bdd09f44edb3edcaf7ce9928b223f823a4999404ae8f068b006aa_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:df2f63afa7c824ef139fdc44c420f6c1cc1f0986df520ee3b3e4afd02882566e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4690"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:a82e54981e175c7ea5e615aef6659be0c8c2bb2042c4ca762f3551244c352a0d_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:87e4957bcecd23fc21fe44d00a6c40b7bdb62afd0c606ca5dfbd8defeeaad83a_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:6e1df31388b61351e0ecefe05085dcba23f1524f5c8bb59afd8a00d9039310d6_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2420c7de9ade63c11b453730568a64772ca3ec1551b9b5e9ae8bfa2eef2b3cd9_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e05a6d29b0822647709a521e47584222e5451c0e53940eacf05b7ac9732bae93_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:969a1b2b159bdd09f44edb3edcaf7ce9928b223f823a4999404ae8f068b006aa_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:df2f63afa7c824ef139fdc44c420f6c1cc1f0986df520ee3b3e4afd02882566e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argocd: Login screen allows message spoofing if SSO is enabled"
},
{
"cve": "CVE-2022-29165",
"cwe": {
"id": "CWE-551",
"name": "Incorrect Behavior Order: Authorization Before Parsing and Canonicalization"
},
"discovery_date": "2022-05-04T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2081686"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the ArgoCD component of Red Hat GitOps, where an unauthenticated attacker can craft a malicious JWT token while ArgoCD\u0027s anonymous access is enabled and gains full access to the ArgoCD instance. This flaw allows the attacker to impersonate any ArgoCD user or role, fully compromising the targeted cluster\u0027s confidentiality, integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "The anonymous mode is by default disabled in the ArgoCD instance installed by the Red Hat GitOps operator.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:a82e54981e175c7ea5e615aef6659be0c8c2bb2042c4ca762f3551244c352a0d_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:87e4957bcecd23fc21fe44d00a6c40b7bdb62afd0c606ca5dfbd8defeeaad83a_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:6e1df31388b61351e0ecefe05085dcba23f1524f5c8bb59afd8a00d9039310d6_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2420c7de9ade63c11b453730568a64772ca3ec1551b9b5e9ae8bfa2eef2b3cd9_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e05a6d29b0822647709a521e47584222e5451c0e53940eacf05b7ac9732bae93_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:969a1b2b159bdd09f44edb3edcaf7ce9928b223f823a4999404ae8f068b006aa_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:df2f63afa7c824ef139fdc44c420f6c1cc1f0986df520ee3b3e4afd02882566e_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-29165"
},
{
"category": "external",
"summary": "RHBZ#2081686",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2081686"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-29165",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29165"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-29165",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29165"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj"
}
],
"release_date": "2022-05-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:a82e54981e175c7ea5e615aef6659be0c8c2bb2042c4ca762f3551244c352a0d_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:87e4957bcecd23fc21fe44d00a6c40b7bdb62afd0c606ca5dfbd8defeeaad83a_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:6e1df31388b61351e0ecefe05085dcba23f1524f5c8bb59afd8a00d9039310d6_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2420c7de9ade63c11b453730568a64772ca3ec1551b9b5e9ae8bfa2eef2b3cd9_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e05a6d29b0822647709a521e47584222e5451c0e53940eacf05b7ac9732bae93_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:969a1b2b159bdd09f44edb3edcaf7ce9928b223f823a4999404ae8f068b006aa_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:df2f63afa7c824ef139fdc44c420f6c1cc1f0986df520ee3b3e4afd02882566e_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:4690"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:a82e54981e175c7ea5e615aef6659be0c8c2bb2042c4ca762f3551244c352a0d_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:87e4957bcecd23fc21fe44d00a6c40b7bdb62afd0c606ca5dfbd8defeeaad83a_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:6e1df31388b61351e0ecefe05085dcba23f1524f5c8bb59afd8a00d9039310d6_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2420c7de9ade63c11b453730568a64772ca3ec1551b9b5e9ae8bfa2eef2b3cd9_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e05a6d29b0822647709a521e47584222e5451c0e53940eacf05b7ac9732bae93_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:969a1b2b159bdd09f44edb3edcaf7ce9928b223f823a4999404ae8f068b006aa_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:df2f63afa7c824ef139fdc44c420f6c1cc1f0986df520ee3b3e4afd02882566e_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "argocd: ArgoCD will blindly trust JWT claims if anonymous access is enabled"
}
]
}
gsd-2022-29165
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this. If anonymous access to the instance is enabled, an attacker can escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster. They may also exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. As a workaround, one may disable anonymous access, but upgrading to a patched version is preferable.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-29165",
"description": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this. If anonymous access to the instance is enabled, an attacker can escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster. They may also exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. As a workaround, one may disable anonymous access, but upgrading to a patched version is preferable.",
"id": "GSD-2022-29165",
"references": [
"https://access.redhat.com/errata/RHSA-2022:4671",
"https://access.redhat.com/errata/RHSA-2022:4690",
"https://access.redhat.com/errata/RHSA-2022:4691",
"https://access.redhat.com/errata/RHSA-2022:4692"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-29165"
],
"details": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this. If anonymous access to the instance is enabled, an attacker can escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster. They may also exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. As a workaround, one may disable anonymous access, but upgrading to a patched version is preferable.",
"id": "GSD-2022-29165",
"modified": "2023-12-13T01:19:42.301960Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29165",
"STATE": "PUBLIC",
"TITLE": "Argo CD will blindly trust JWT claims if anonymous access is enabled"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "argo-cd",
"version": {
"version_data": [
{
"version_value": "\u003e= 1.4.0, \u003c 2.1.15"
},
{
"version_value": "\u003e= 2.2.0, \u003c 2.2.9"
},
{
"version_value": "\u003e= 2.3.0, \u003c 2.3.4"
}
]
}
}
]
},
"vendor_name": "argoproj"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this. If anonymous access to the instance is enabled, an attacker can escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster. They may also exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. As a workaround, one may disable anonymous access, but upgrading to a patched version is preferable."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-287: Improper Authentication"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-290: Authentication Bypass by Spoofing"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15",
"refsource": "MISC",
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15"
},
{
"name": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9",
"refsource": "MISC",
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9"
},
{
"name": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4",
"refsource": "MISC",
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4"
},
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj",
"refsource": "CONFIRM",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj"
}
]
},
"source": {
"advisory": "GHSA-r642-gv9p-2wjj",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=v1.8.7",
"affected_versions": "All versions up to 1.8.7",
"cwe_ids": [
"CWE-1035",
"CWE-200",
"CWE-287",
"CWE-290",
"CWE-937"
],
"date": "2022-05-24",
"description": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this. If anonymous access to the instance is enabled, an attacker can escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster. They may also exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. As a workaround, one may disable anonymous access, but upgrading to a patched version is preferable.",
"fixed_versions": [
"v2.1.15"
],
"identifier": "CVE-2022-29165",
"identifiers": [
"GHSA-r642-gv9p-2wjj",
"CVE-2022-29165"
],
"not_impacted": "All versions after 1.8.7",
"package_slug": "go/github.com/argoproj/argo-cd",
"pubdate": "2022-05-24",
"solution": "Upgrade to version 2.1.15 or above.",
"title": "Authentication Bypass by Spoofing",
"urls": [
"https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj",
"https://nvd.nist.gov/vuln/detail/CVE-2022-29165",
"https://github.com/argoproj/argo-cd/releases/tag/v2.1.15",
"https://github.com/argoproj/argo-cd/releases/tag/v2.2.9",
"https://github.com/argoproj/argo-cd/releases/tag/v2.3.4",
"https://github.com/advisories/GHSA-r642-gv9p-2wjj"
],
"uuid": "f507387c-27e0-4a8c-9d2f-0981ad3e18c7",
"versions": [
{
"commit": {
"sha": "eb3d1fb84b9b77cdffd70b14c4f949f1c64a9416",
"tags": [
"v1.8.7"
],
"timestamp": "20210303070237"
},
"number": "v1.8.7"
},
{
"commit": {
"sha": "52f917a18165416baa418822daae36c5f011e91f",
"tags": [
"v2.1.15"
],
"timestamp": "20220518123422"
},
"number": "v2.1.15"
}
]
},
{
"affected_range": "\u003cv2.1.15 || \u003e=v2.2.0 \u003cv2.2.9 || \u003e=v2.3.0 \u003cv2.3.4",
"affected_versions": "All versions starting from 2.2.0 before 2.2.9, all versions starting from 2.3.0 before 2.3.4, all versions before 2.1.15",
"cwe_ids": [
"CWE-1035",
"CWE-200",
"CWE-287",
"CWE-290",
"CWE-937"
],
"date": "2022-05-24",
"description": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this. If anonymous access to the instance is enabled, an attacker can escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster. They may also exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. As a workaround, one may disable anonymous access, but upgrading to a patched version is preferable.",
"fixed_versions": [
"v2.2.9",
"v2.3.4"
],
"identifier": "CVE-2022-29165",
"identifiers": [
"GHSA-r642-gv9p-2wjj",
"CVE-2022-29165"
],
"not_impacted": "All versions before 2.2.0, all versions starting from 2.2.9 before 2.3.0",
"package_slug": "go/github.com/argoproj/argo-cd/v2",
"pubdate": "2022-05-24",
"solution": "Upgrade to versions 2.2.9, 2.3.4 or above.",
"title": "Authentication Bypass by Spoofing",
"urls": [
"https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj",
"https://nvd.nist.gov/vuln/detail/CVE-2022-29165",
"https://github.com/argoproj/argo-cd/releases/tag/v2.1.15",
"https://github.com/argoproj/argo-cd/releases/tag/v2.2.9",
"https://github.com/argoproj/argo-cd/releases/tag/v2.3.4",
"https://github.com/advisories/GHSA-r642-gv9p-2wjj"
],
"uuid": "1c111556-4aca-4e55-a844-19d31fcc0d56",
"versions": [
{
"commit": {
"sha": "6da92a8e8103ce4145bb0fe2b7e952be79c9ff0a",
"tags": [
"v2.2.0"
],
"timestamp": "20211214180104"
},
"number": "v2.2.0"
},
{
"commit": {
"sha": "fe427802293b090f43f91f5839393174df6c3b3a",
"tags": [
"v2.3.0"
],
"timestamp": "20220306061859"
},
"number": "v2.3.0"
},
{
"commit": {
"sha": "ac8b7df9467ffcc0920b826c62c4b603a7bfed24",
"tags": [
"stable",
"v2.3.4"
],
"timestamp": "20220518113227"
},
"number": "v2.3.4"
},
{
"commit": {
"sha": "38755a4c1e5232aa2e6f80c062593c9f07da0757",
"tags": [
"v2.2.9"
],
"timestamp": "20220518115529"
},
"number": "v2.2.9"
},
{
"commit": {
"sha": "52f917a18165416baa418822daae36c5f011e91f",
"tags": [
"v2.1.15"
],
"timestamp": "20220518123422"
},
"number": "v2.1.15"
}
]
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.3.4",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.2.9",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.1.15",
"versionStartIncluding": "1.4.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29165"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this. If anonymous access to the instance is enabled, an attacker can escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster. They may also exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. As a workaround, one may disable anonymous access, but upgrading to a patched version is preferable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-290"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9",
"refsource": "MISC",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9"
},
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj",
"refsource": "CONFIRM",
"tags": [
"Mitigation",
"Third Party Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj"
},
{
"name": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4",
"refsource": "MISC",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4"
},
{
"name": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15",
"refsource": "MISC",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.3,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0
}
},
"lastModifiedDate": "2022-06-02T15:26Z",
"publishedDate": "2022-05-20T15:15Z"
}
}
}
ghsa-r642-gv9p-2wjj
Vulnerability from github
Published
2022-05-24 20:47
Modified
2022-05-24 20:47
Severity
Summary
Argo CD will blindly trust JWT claims if anonymous access is enabled
Details
Impact
A critical vulnerability has been discovered in Argo CD which would allow unauthenticated users to impersonate as any Argo CD user or role, including the admin user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled.
In a default Argo CD installation, anonymous access is disabled. To find out if anonymous access is enabled in your instance, please see the Workarounds section of this advisory below.
The vulnerability can be exploited to impersonate as any user or role, including the built-in admin account regardless of whether that account is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this.
If anonymous access to the instance is enabled, an attacker can:
-
Escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster.
-
Exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API
We strongly recommend that all users of Argo CD update to a version containing this patch as soon as possible, regardless of whether or not anonymous access is enabled in your instance.
Please see below for a list of versions containing a fix for this vulnerability and any possible workarounds existing for this issue.
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
- v2.3.4
- v2.2.9
- v2.1.15
Workarounds
Disable anonymous access
If you are not able to upgrade to a patched version quickly, we highly suggest disabling anonymous access if it is enabled.
To find out whether anonymous access is enabled for your Argo CD instance, you can query the argocd-cm ConfigMap in the Argo CD's installation namespace. The below example assumes you have installed Argo CD to the argocd namespace:
shell
$ kubectl get -n argocd cm argocd-cm -o jsonpath='{.data.users\.anonymous\.enabled}'
If the result of this command is either empty or "false", anonymous access to that instance is not enabled. If the result is "true", your instance is vulnerable.
To disable anonymous access, patch the argocd-cm ConfigMap to either remove the users.anonymous.enabled field or set this field to "false".
To set the field to "false":
shell
$ kubectl patch -n argocd cm argocd-cm --type=json -p='[{"op":"add", "path":"/data/users.anonymous.enabled", "value":"false"}]'
Or you can remove the field completely, thus disabling anonymous access because the default is false:
shell
$ kubectl patch -n argocd cm argocd-cm --type=json -p='[{"op":"remove", "path":"/data/users.anonymous.enabled"}]'
Credits
The Argo CD team would like to thank Mark Pim and Andrzej Hajto, who discovered this vulnerability and reported it in a responsible way to us.
For more information
- Open an issue in the Argo CD issue tracker or discussions
- Join us on Slack in channel #argo-cd
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.15"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.8.7"
},
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-29165"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-287",
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2022-05-24T20:47:34Z",
"nvd_published_at": "2022-05-20T15:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nA critical vulnerability has been discovered in Argo CD which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, [anonymous access](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/#anonymous-access) to the Argo CD instance must have been enabled. \n\nIn a default Argo CD installation, anonymous access is disabled. To find out if anonymous access is enabled in your instance, please see the *Workarounds* section of this advisory below.\n\nThe vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether that account is enabled or disabled. Also, the attacker does not need an account on the Argo CD instance in order to exploit this.\n\nIf anonymous access to the instance is enabled, an attacker can:\n\n* Escalate their privileges, effectively allowing them to gain the same privileges on the cluster as the Argo CD instance, which is cluster admin in a default installation. This will allow the attacker to create, manipulate and delete any resource on the cluster.\n\n* Exfiltrate data by deploying malicious workloads with elevated privileges, thus bypassing any redaction of sensitive data otherwise enforced by the Argo CD API\n\nWe **strongly recommend** that all users of Argo CD update to a version containing this patch as soon as possible, regardless of whether or not anonymous access is enabled in your instance.\n\nPlease see below for a list of versions containing a fix for this vulnerability and any possible workarounds existing for this issue.\n\n### Patches\n\nA patch for this vulnerability has been released in the following Argo CD versions:\n\n* v2.3.4\n* v2.2.9\n* v2.1.15\n\n### Workarounds\n\n#### Disable anonymous access\n\nIf you are not able to upgrade to a patched version quickly, we highly suggest disabling anonymous access if it is enabled. \n\nTo find out whether anonymous access is enabled for your Argo CD instance, you can query the `argocd-cm` ConfigMap in the Argo CD\u0027s installation namespace. The below example assumes you have installed Argo CD to the `argocd` namespace:\n\n```shell\n$ kubectl get -n argocd cm argocd-cm -o jsonpath=\u0027{.data.users\\.anonymous\\.enabled}\u0027\n```\n\nIf the result of this command is either empty or `\"false\"`, anonymous access to that instance is not enabled. If the result is `\"true\"`, your instance is vulnerable.\n\nTo disable anonymous access, patch the `argocd-cm` ConfigMap to either remove the `users.anonymous.enabled` field or set this field to `\"false\"`. \n\nTo set the field to `\"false\"`:\n\n```shell\n$ kubectl patch -n argocd cm argocd-cm --type=json -p=\u0027[{\"op\":\"add\", \"path\":\"/data/users.anonymous.enabled\", \"value\":\"false\"}]\u0027\n```\nOr you can remove the field completely, thus disabling anonymous access because the default is `false`:\n\n```shell\n$ kubectl patch -n argocd cm argocd-cm --type=json -p=\u0027[{\"op\":\"remove\", \"path\":\"/data/users.anonymous.enabled\"}]\u0027\n```\n\n### Credits\n\nThe Argo CD team would like to thank Mark Pim and Andrzej Hajto, who discovered this vulnerability and reported it in a responsible way to us.\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd",
"id": "GHSA-r642-gv9p-2wjj",
"modified": "2022-05-24T20:47:34Z",
"published": "2022-05-24T20:47:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29165"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.1.15"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.2.9"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/releases/tag/v2.3.4"
},
{
"type": "PACKAGE",
"url": "github.com/argoproj/argo-cd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Argo CD will blindly trust JWT claims if anonymous access is enabled"
}
Loading...