Action not permitted
Modal body text goes here.
cve-2022-31034
Vulnerability from cvelistv5
Published
2022-06-27 19:00
Modified
2024-08-03 07:03
Severity ?
EPSS score ?
Summary
Insecure entropy in argo-cd
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/argoproj/argo-cd/commit/17f7f4f462bdb233e1b9b36f67099f41052d8cb0 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v | Third Party Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.296Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/commit/17f7f4f462bdb233e1b9b36f67099f41052d8cb0"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.11.0, \u003c 2.1.16"
},
{
"status": "affected",
"version": "\u003e= 2.2.0, \u003c 2.2.10"
},
{
"status": "affected",
"version": "\u003e= 2.3.0, \u003c 2.3.5"
},
{
"status": "affected",
"version": "\u003e= 2.4.0, \u003c 2.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. The attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact potentially granting an attacker admin access to Argo CD. Patches for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-330",
"description": "CWE-330: Use of Insufficiently Random Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-27T19:00:19",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/argoproj/argo-cd/commit/17f7f4f462bdb233e1b9b36f67099f41052d8cb0"
}
],
"source": {
"advisory": "GHSA-2m7h-86qq-fp4v",
"discovery": "UNKNOWN"
},
"title": "Insecure entropy in argo-cd",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31034",
"STATE": "PUBLIC",
"TITLE": "Insecure entropy in argo-cd"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "argo-cd",
"version": {
"version_data": [
{
"version_value": "\u003e= 0.11.0, \u003c 2.1.16"
},
{
"version_value": "\u003e= 2.2.0, \u003c 2.2.10"
},
{
"version_value": "\u003e= 2.3.0, \u003c 2.3.5"
},
{
"version_value": "\u003e= 2.4.0, \u003c 2.4.1"
}
]
}
}
]
},
"vendor_name": "argoproj"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. The attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact potentially granting an attacker admin access to Argo CD. Patches for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no known workarounds for this vulnerability."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-330: Use of Insufficiently Random Values"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v",
"refsource": "CONFIRM",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/17f7f4f462bdb233e1b9b36f67099f41052d8cb0",
"refsource": "MISC",
"url": "https://github.com/argoproj/argo-cd/commit/17f7f4f462bdb233e1b9b36f67099f41052d8cb0"
}
]
},
"source": {
"advisory": "GHSA-2m7h-86qq-fp4v",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31034",
"datePublished": "2022-06-27T19:00:19",
"dateReserved": "2022-05-18T00:00:00",
"dateUpdated": "2024-08-03T07:03:40.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2022-31034\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2022-06-27T19:15:08.393\",\"lastModified\":\"2024-08-07T15:43:51.540\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. The attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact potentially granting an attacker admin access to Argo CD. Patches for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no known workarounds for this vulnerability.\"},{\"lang\":\"es\",\"value\":\"Argo CD es una herramienta declarativa de entrega continua GitOps para Kubernetes. Todas las versiones de Argo CD a partir de la v0.11.0, son vulnerables a una variedad de ataques cuando es iniciado un inicio de sesi\u00f3n SSO desde la CLI o la UI de Argo CD. Las vulnerabilidades son debido a un uso de valores insuficientemente aleatorios en los par\u00e1metros de los flujos de inicio de sesi\u00f3n Oauth2/OIDC. En cada caso, el uso de una semilla relativamente predecible (basada en el tiempo) en un generador de n\u00fameros pseudoaleatorios no seguro desde el punto de vista criptogr\u00e1fico hizo que el par\u00e1metro fuera menos aleatorio de lo requerido por la especificaci\u00f3n correspondiente o por las mejores pr\u00e1cticas generales. En algunos casos, el uso de un valor demasiado corto hac\u00eda que la entrop\u00eda fuera a\u00fan menos suficiente. Los ataques a los flujos de inicio de sesi\u00f3n que pretenden mitigarse con estos par\u00e1metros son dif\u00edciles de llevar a cabo, pero pueden tener un alto impacto, pudiendo conceder a un atacante acceso de administrador a Argo CD. Han sido publicados parches para esta vulnerabilidad en las siguientes versiones de Argo CD: v2.4.1, v2.3.5, v2.2.10 y v2.1.16. No son conocidas mitigaciones para esta vulnerabilidad\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":6.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":6.8},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-331\"},{\"lang\":\"en\",\"value\":\"CWE-335\"}]},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-330\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.11.0\",\"versionEndExcluding\":\"2.1.16\",\"matchCriteriaId\":\"EA9547AD-C4FB-4080-AB74-63A4B2FE7026\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.2.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C9C0C6B1-4452-4D12-B8F7-841DDF3BEA37\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.3.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CBA1F528-543F-44EE-8FE3-322C9B002266\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4599BA0B-1F60-4F19-A746-4039A9883E95\"}]}]}],\"references\":[{\"url\":\"https://github.com/argoproj/argo-cd/commit/17f7f4f462bdb233e1b9b36f67099f41052d8cb0\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
rhsa-2022_5187
Vulnerability from csaf_redhat
Published
2022-06-24 21:07
Modified
2024-11-22 19:33
Summary
Red Hat Security Advisory: Red Hat OpenShift GitOps security update
Notes
Topic
An update is now available for Red Hat OpenShift GitOps 1.3 on OpenShift 4.6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.
Security Fix(es):
* argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI. (CVE-2022-31034)
* argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI (CVE-2022-31035)
* argocd: vulnerable to an uncontrolled memory consumption bug (CVE-2022-31016)
* argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access (CVE-2022-31036)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat OpenShift GitOps 1.3 on OpenShift 4.6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.\n\nSecurity Fix(es):\n\n* argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI. (CVE-2022-31034)\n\n* argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI (CVE-2022-31035)\n\n* argocd: vulnerable to an uncontrolled memory consumption bug (CVE-2022-31016)\n\n* argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access (CVE-2022-31036)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:5187",
"url": "https://access.redhat.com/errata/RHSA-2022:5187"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2096278",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096278"
},
{
"category": "external",
"summary": "2096282",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096282"
},
{
"category": "external",
"summary": "2096283",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096283"
},
{
"category": "external",
"summary": "2096291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096291"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5187.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update",
"tracking": {
"current_release_date": "2024-11-22T19:33:41+00:00",
"generator": {
"date": "2024-11-22T19:33:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2022:5187",
"initial_release_date": "2022-06-24T21:07:03+00:00",
"revision_history": [
{
"date": "2022-06-24T21:07:03+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-06-24T21:07:03+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T19:33:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift GitOps 1.3",
"product": {
"name": "Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_gitops:1.3::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift GitOps"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/applicationset-rhel8@sha256:5ff7ebaced7b03edf9042ec952ce078bb2cf043873c1371f70105b1dce51a2bc_amd64",
"product": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:5ff7ebaced7b03edf9042ec952ce078bb2cf043873c1371f70105b1dce51a2bc_amd64",
"product_id": "openshift-gitops-1/applicationset-rhel8@sha256:5ff7ebaced7b03edf9042ec952ce078bb2cf043873c1371f70105b1dce51a2bc_amd64",
"product_identification_helper": {
"purl": "pkg:oci/applicationset-rhel8@sha256:5ff7ebaced7b03edf9042ec952ce078bb2cf043873c1371f70105b1dce51a2bc?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/applicationset-rhel8\u0026tag=v1.3.12-1"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.3.12-1"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:2b1097d6a0b11037504f693fc50c006b30b1a231c2d5d95072b7df8816292725_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:2b1097d6a0b11037504f693fc50c006b30b1a231c2d5d95072b7df8816292725_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:2b1097d6a0b11037504f693fc50c006b30b1a231c2d5d95072b7df8816292725_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:2b1097d6a0b11037504f693fc50c006b30b1a231c2d5d95072b7df8816292725?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.3.12-1"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:b87ba9f816195e4c24a6f8ecc5018a1490f1f0558388a4229bc113e8e8212b4b_amd64",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:b87ba9f816195e4c24a6f8ecc5018a1490f1f0558388a4229bc113e8e8212b4b_amd64",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:b87ba9f816195e4c24a6f8ecc5018a1490f1f0558388a4229bc113e8e8212b4b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:b87ba9f816195e4c24a6f8ecc5018a1490f1f0558388a4229bc113e8e8212b4b?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.3.12-1"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:61b05cb351191e84427a20e3dcd0c08e9fef07a2782e7c857756b703257d8086_amd64",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:61b05cb351191e84427a20e3dcd0c08e9fef07a2782e7c857756b703257d8086_amd64",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:61b05cb351191e84427a20e3dcd0c08e9fef07a2782e7c857756b703257d8086_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:61b05cb351191e84427a20e3dcd0c08e9fef07a2782e7c857756b703257d8086?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.3.12-1"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:d6406b5132eb96d3f8ff535cc88eb0c6d5c57baca7c345084848d0201b706aa2_amd64",
"product": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:d6406b5132eb96d3f8ff535cc88eb0c6d5c57baca7c345084848d0201b706aa2_amd64",
"product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:d6406b5132eb96d3f8ff535cc88eb0c6d5c57baca7c345084848d0201b706aa2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-operator-bundle@sha256:d6406b5132eb96d3f8ff535cc88eb0c6d5c57baca7c345084848d0201b706aa2?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.3.12-1"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:127ad7e1cdee07bb03a65bd95605539d28eb15bed59af719d6c8df12136bac2d_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:127ad7e1cdee07bb03a65bd95605539d28eb15bed59af719d6c8df12136bac2d_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:127ad7e1cdee07bb03a65bd95605539d28eb15bed59af719d6c8df12136bac2d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:127ad7e1cdee07bb03a65bd95605539d28eb15bed59af719d6c8df12136bac2d?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.3.12-1"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:5ff7ebaced7b03edf9042ec952ce078bb2cf043873c1371f70105b1dce51a2bc_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:5ff7ebaced7b03edf9042ec952ce078bb2cf043873c1371f70105b1dce51a2bc_amd64"
},
"product_reference": "openshift-gitops-1/applicationset-rhel8@sha256:5ff7ebaced7b03edf9042ec952ce078bb2cf043873c1371f70105b1dce51a2bc_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:b87ba9f816195e4c24a6f8ecc5018a1490f1f0558388a4229bc113e8e8212b4b_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b87ba9f816195e4c24a6f8ecc5018a1490f1f0558388a4229bc113e8e8212b4b_amd64"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:b87ba9f816195e4c24a6f8ecc5018a1490f1f0558388a4229bc113e8e8212b4b_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:d6406b5132eb96d3f8ff535cc88eb0c6d5c57baca7c345084848d0201b706aa2_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:d6406b5132eb96d3f8ff535cc88eb0c6d5c57baca7c345084848d0201b706aa2_amd64"
},
"product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:d6406b5132eb96d3f8ff535cc88eb0c6d5c57baca7c345084848d0201b706aa2_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:127ad7e1cdee07bb03a65bd95605539d28eb15bed59af719d6c8df12136bac2d_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:127ad7e1cdee07bb03a65bd95605539d28eb15bed59af719d6c8df12136bac2d_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:127ad7e1cdee07bb03a65bd95605539d28eb15bed59af719d6c8df12136bac2d_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:2b1097d6a0b11037504f693fc50c006b30b1a231c2d5d95072b7df8816292725_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:2b1097d6a0b11037504f693fc50c006b30b1a231c2d5d95072b7df8816292725_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:2b1097d6a0b11037504f693fc50c006b30b1a231c2d5d95072b7df8816292725_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:61b05cb351191e84427a20e3dcd0c08e9fef07a2782e7c857756b703257d8086_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:61b05cb351191e84427a20e3dcd0c08e9fef07a2782e7c857756b703257d8086_amd64"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:61b05cb351191e84427a20e3dcd0c08e9fef07a2782e7c857756b703257d8086_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-31016",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-06-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:5ff7ebaced7b03edf9042ec952ce078bb2cf043873c1371f70105b1dce51a2bc_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b87ba9f816195e4c24a6f8ecc5018a1490f1f0558388a4229bc113e8e8212b4b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:d6406b5132eb96d3f8ff535cc88eb0c6d5c57baca7c345084848d0201b706aa2_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:127ad7e1cdee07bb03a65bd95605539d28eb15bed59af719d6c8df12136bac2d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:2b1097d6a0b11037504f693fc50c006b30b1a231c2d5d95072b7df8816292725_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:61b05cb351191e84427a20e3dcd0c08e9fef07a2782e7c857756b703257d8086_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2096283"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ArgoCD, which is vulnerable to an uncontrolled memory consumption bug. A crafted manifest file can lead the ArgoCD\u0027s repo-server component to crash, causing a denial of service. The attacker must be an authenticated user to exploit this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: vulnerable to an uncontrolled memory consumption bug",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:5ff7ebaced7b03edf9042ec952ce078bb2cf043873c1371f70105b1dce51a2bc_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b87ba9f816195e4c24a6f8ecc5018a1490f1f0558388a4229bc113e8e8212b4b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:d6406b5132eb96d3f8ff535cc88eb0c6d5c57baca7c345084848d0201b706aa2_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:127ad7e1cdee07bb03a65bd95605539d28eb15bed59af719d6c8df12136bac2d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:2b1097d6a0b11037504f693fc50c006b30b1a231c2d5d95072b7df8816292725_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:61b05cb351191e84427a20e3dcd0c08e9fef07a2782e7c857756b703257d8086_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31016"
},
{
"category": "external",
"summary": "RHBZ#2096283",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096283"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31016",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31016"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31016",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31016"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq"
}
],
"release_date": "2022-06-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-24T21:07:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:5187"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argocd: vulnerable to an uncontrolled memory consumption bug"
},
{
"cve": "CVE-2022-31034",
"cwe": {
"id": "CWE-331",
"name": "Insufficient Entropy"
},
"discovery_date": "2022-06-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:5ff7ebaced7b03edf9042ec952ce078bb2cf043873c1371f70105b1dce51a2bc_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b87ba9f816195e4c24a6f8ecc5018a1490f1f0558388a4229bc113e8e8212b4b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:d6406b5132eb96d3f8ff535cc88eb0c6d5c57baca7c345084848d0201b706aa2_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:127ad7e1cdee07bb03a65bd95605539d28eb15bed59af719d6c8df12136bac2d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:2b1097d6a0b11037504f693fc50c006b30b1a231c2d5d95072b7df8816292725_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:61b05cb351191e84427a20e3dcd0c08e9fef07a2782e7c857756b703257d8086_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2096282"
}
],
"notes": [
{
"category": "description",
"text": "Several Single sign-on (SSO) vulnerabilities were found in ArgoCD when the login process is initiated via CLI or UI interfaces. The vulnerabilities are related to using insufficiently random value parameters during the login process. This flaw gives the attacker elevated privileges, including the possibility of administrative rights.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:5ff7ebaced7b03edf9042ec952ce078bb2cf043873c1371f70105b1dce51a2bc_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b87ba9f816195e4c24a6f8ecc5018a1490f1f0558388a4229bc113e8e8212b4b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:d6406b5132eb96d3f8ff535cc88eb0c6d5c57baca7c345084848d0201b706aa2_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:127ad7e1cdee07bb03a65bd95605539d28eb15bed59af719d6c8df12136bac2d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:2b1097d6a0b11037504f693fc50c006b30b1a231c2d5d95072b7df8816292725_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:61b05cb351191e84427a20e3dcd0c08e9fef07a2782e7c857756b703257d8086_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31034"
},
{
"category": "external",
"summary": "RHBZ#2096282",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096282"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31034",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31034"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31034",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31034"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v"
}
],
"release_date": "2022-06-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-24T21:07:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:5187"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI."
},
{
"cve": "CVE-2022-31035",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-06-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:5ff7ebaced7b03edf9042ec952ce078bb2cf043873c1371f70105b1dce51a2bc_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b87ba9f816195e4c24a6f8ecc5018a1490f1f0558388a4229bc113e8e8212b4b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:d6406b5132eb96d3f8ff535cc88eb0c6d5c57baca7c345084848d0201b706aa2_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:127ad7e1cdee07bb03a65bd95605539d28eb15bed59af719d6c8df12136bac2d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:2b1097d6a0b11037504f693fc50c006b30b1a231c2d5d95072b7df8816292725_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:61b05cb351191e84427a20e3dcd0c08e9fef07a2782e7c857756b703257d8086_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2096278"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) flaw was found in ArgoCD. This flaw allows a malicious actor to trigger a Cross-site scripting (XSS) vulnerability by storing a link point to a javascript code in ArgoCD UI. A successful attack depends on a user clicking the malicious link and triggering the function available in the UI without the user\u0027s knowledge. The actions done by the malicious code will run with the same victim\u0027s level of access, including administrative privileges, if the victim has this level of permission.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:5ff7ebaced7b03edf9042ec952ce078bb2cf043873c1371f70105b1dce51a2bc_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b87ba9f816195e4c24a6f8ecc5018a1490f1f0558388a4229bc113e8e8212b4b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:d6406b5132eb96d3f8ff535cc88eb0c6d5c57baca7c345084848d0201b706aa2_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:127ad7e1cdee07bb03a65bd95605539d28eb15bed59af719d6c8df12136bac2d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:2b1097d6a0b11037504f693fc50c006b30b1a231c2d5d95072b7df8816292725_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:61b05cb351191e84427a20e3dcd0c08e9fef07a2782e7c857756b703257d8086_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31035"
},
{
"category": "external",
"summary": "RHBZ#2096278",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096278"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31035",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31035"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj"
}
],
"release_date": "2022-06-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-24T21:07:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:5187"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI"
},
{
"cve": "CVE-2022-31036",
"cwe": {
"id": "CWE-61",
"name": "UNIX Symbolic Link (Symlink) Following"
},
"discovery_date": "2022-06-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:5ff7ebaced7b03edf9042ec952ce078bb2cf043873c1371f70105b1dce51a2bc_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b87ba9f816195e4c24a6f8ecc5018a1490f1f0558388a4229bc113e8e8212b4b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:d6406b5132eb96d3f8ff535cc88eb0c6d5c57baca7c345084848d0201b706aa2_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:127ad7e1cdee07bb03a65bd95605539d28eb15bed59af719d6c8df12136bac2d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:2b1097d6a0b11037504f693fc50c006b30b1a231c2d5d95072b7df8816292725_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:61b05cb351191e84427a20e3dcd0c08e9fef07a2782e7c857756b703257d8086_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2096291"
}
],
"notes": [
{
"category": "description",
"text": "A symlink following vulnerability was found in ArgoCD. A malicious user with write access can commit a symlink pointing to a file outside the expected directories. Once the Helm-type application consumes this symlink, the attacker can read the content of the file referenced by the symbolic link, compromising the confidentiality of other projects under the same ArgoCD installation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:5ff7ebaced7b03edf9042ec952ce078bb2cf043873c1371f70105b1dce51a2bc_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:b87ba9f816195e4c24a6f8ecc5018a1490f1f0558388a4229bc113e8e8212b4b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:d6406b5132eb96d3f8ff535cc88eb0c6d5c57baca7c345084848d0201b706aa2_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:127ad7e1cdee07bb03a65bd95605539d28eb15bed59af719d6c8df12136bac2d_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:2b1097d6a0b11037504f693fc50c006b30b1a231c2d5d95072b7df8816292725_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:61b05cb351191e84427a20e3dcd0c08e9fef07a2782e7c857756b703257d8086_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31036"
},
{
"category": "external",
"summary": "RHBZ#2096291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31036",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31036"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31036",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31036"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm"
}
],
"release_date": "2022-06-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-24T21:07:03+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:5187"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:c50ef13adc2fca3db28b79214990933d32e177f811379f739a805d2b62f0ee97_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access"
}
]
}
rhsa-2022_5153
Vulnerability from csaf_redhat
Published
2022-06-27 12:42
Modified
2024-11-22 19:33
Summary
Red Hat Security Advisory: Red Hat OpenShift GitOps security update
Notes
Topic
An update is now available for Red Hat OpenShift GitOps 1.4.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.
Security Fix(es):
* argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI. (CVE-2022-31034)
* argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI (CVE-2022-31035)
* argocd: vulnerable to an uncontrolled memory consumption bug (CVE-2022-31016)
* argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access (CVE-2022-31036)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat OpenShift GitOps 1.4.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.\n\nSecurity Fix(es):\n\n* argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI. (CVE-2022-31034)\n\n* argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI (CVE-2022-31035)\n\n* argocd: vulnerable to an uncontrolled memory consumption bug (CVE-2022-31016)\n\n* argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access (CVE-2022-31036)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:5153",
"url": "https://access.redhat.com/errata/RHSA-2022:5153"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2096278",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096278"
},
{
"category": "external",
"summary": "2096282",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096282"
},
{
"category": "external",
"summary": "2096283",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096283"
},
{
"category": "external",
"summary": "2096291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096291"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5153.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update",
"tracking": {
"current_release_date": "2024-11-22T19:33:57+00:00",
"generator": {
"date": "2024-11-22T19:33:57+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2022:5153",
"initial_release_date": "2022-06-27T12:42:55+00:00",
"revision_history": [
{
"date": "2022-06-27T12:42:55+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-06-27T12:42:55+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T19:33:57+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift GitOps 1.4",
"product": {
"name": "Red Hat OpenShift GitOps 1.4",
"product_id": "8Base-GitOps-1.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_gitops:1.4::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift GitOps"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/applicationset-rhel8@sha256:374aa562f7af0db1c11766dc2b0e5dd4a76549fee1de40508ea597a0d60ed73b_amd64",
"product": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:374aa562f7af0db1c11766dc2b0e5dd4a76549fee1de40508ea597a0d60ed73b_amd64",
"product_id": "openshift-gitops-1/applicationset-rhel8@sha256:374aa562f7af0db1c11766dc2b0e5dd4a76549fee1de40508ea597a0d60ed73b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/applicationset-rhel8@sha256:374aa562f7af0db1c11766dc2b0e5dd4a76549fee1de40508ea597a0d60ed73b?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/applicationset-rhel8\u0026tag=v1.4.9-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.4.9-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:1226d32dfdd148450802a938830a7f1306aa2a78a2e0ce0ff712408511f5f55c_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:1226d32dfdd148450802a938830a7f1306aa2a78a2e0ce0ff712408511f5f55c_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:1226d32dfdd148450802a938830a7f1306aa2a78a2e0ce0ff712408511f5f55c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:1226d32dfdd148450802a938830a7f1306aa2a78a2e0ce0ff712408511f5f55c?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.4.9-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:c9aad6e71e7065524dd22dc292ae0f2109d261f5725a26f5a659d7fdb983976c_amd64",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:c9aad6e71e7065524dd22dc292ae0f2109d261f5725a26f5a659d7fdb983976c_amd64",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:c9aad6e71e7065524dd22dc292ae0f2109d261f5725a26f5a659d7fdb983976c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:c9aad6e71e7065524dd22dc292ae0f2109d261f5725a26f5a659d7fdb983976c?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.4.9-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:70e6fad8c61c08777893e3dc3bbaf3ba4416314bd5e7a6e5436bf25fd2d1b110_amd64",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:70e6fad8c61c08777893e3dc3bbaf3ba4416314bd5e7a6e5436bf25fd2d1b110_amd64",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:70e6fad8c61c08777893e3dc3bbaf3ba4416314bd5e7a6e5436bf25fd2d1b110_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:70e6fad8c61c08777893e3dc3bbaf3ba4416314bd5e7a6e5436bf25fd2d1b110?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.4.9-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:d20149f6061e14edf0214ef2da7018eeb8c90b53d04ce3951429391391e59556_amd64",
"product": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:d20149f6061e14edf0214ef2da7018eeb8c90b53d04ce3951429391391e59556_amd64",
"product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:d20149f6061e14edf0214ef2da7018eeb8c90b53d04ce3951429391391e59556_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-operator-bundle@sha256:d20149f6061e14edf0214ef2da7018eeb8c90b53d04ce3951429391391e59556?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.4.9-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:d6f784052a3d27884d5b8b5f6cb9f9ac653a0ecf8aa25212345030c3d30ddeba_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:d6f784052a3d27884d5b8b5f6cb9f9ac653a0ecf8aa25212345030c3d30ddeba_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:d6f784052a3d27884d5b8b5f6cb9f9ac653a0ecf8aa25212345030c3d30ddeba_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:d6f784052a3d27884d5b8b5f6cb9f9ac653a0ecf8aa25212345030c3d30ddeba?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.4.9-3"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:374aa562f7af0db1c11766dc2b0e5dd4a76549fee1de40508ea597a0d60ed73b_amd64 as a component of Red Hat OpenShift GitOps 1.4",
"product_id": "8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:374aa562f7af0db1c11766dc2b0e5dd4a76549fee1de40508ea597a0d60ed73b_amd64"
},
"product_reference": "openshift-gitops-1/applicationset-rhel8@sha256:374aa562f7af0db1c11766dc2b0e5dd4a76549fee1de40508ea597a0d60ed73b_amd64",
"relates_to_product_reference": "8Base-GitOps-1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64 as a component of Red Hat OpenShift GitOps 1.4",
"product_id": "8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64",
"relates_to_product_reference": "8Base-GitOps-1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:c9aad6e71e7065524dd22dc292ae0f2109d261f5725a26f5a659d7fdb983976c_amd64 as a component of Red Hat OpenShift GitOps 1.4",
"product_id": "8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:c9aad6e71e7065524dd22dc292ae0f2109d261f5725a26f5a659d7fdb983976c_amd64"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:c9aad6e71e7065524dd22dc292ae0f2109d261f5725a26f5a659d7fdb983976c_amd64",
"relates_to_product_reference": "8Base-GitOps-1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:d20149f6061e14edf0214ef2da7018eeb8c90b53d04ce3951429391391e59556_amd64 as a component of Red Hat OpenShift GitOps 1.4",
"product_id": "8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:d20149f6061e14edf0214ef2da7018eeb8c90b53d04ce3951429391391e59556_amd64"
},
"product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:d20149f6061e14edf0214ef2da7018eeb8c90b53d04ce3951429391391e59556_amd64",
"relates_to_product_reference": "8Base-GitOps-1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:d6f784052a3d27884d5b8b5f6cb9f9ac653a0ecf8aa25212345030c3d30ddeba_amd64 as a component of Red Hat OpenShift GitOps 1.4",
"product_id": "8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:d6f784052a3d27884d5b8b5f6cb9f9ac653a0ecf8aa25212345030c3d30ddeba_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:d6f784052a3d27884d5b8b5f6cb9f9ac653a0ecf8aa25212345030c3d30ddeba_amd64",
"relates_to_product_reference": "8Base-GitOps-1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:1226d32dfdd148450802a938830a7f1306aa2a78a2e0ce0ff712408511f5f55c_amd64 as a component of Red Hat OpenShift GitOps 1.4",
"product_id": "8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:1226d32dfdd148450802a938830a7f1306aa2a78a2e0ce0ff712408511f5f55c_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:1226d32dfdd148450802a938830a7f1306aa2a78a2e0ce0ff712408511f5f55c_amd64",
"relates_to_product_reference": "8Base-GitOps-1.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:70e6fad8c61c08777893e3dc3bbaf3ba4416314bd5e7a6e5436bf25fd2d1b110_amd64 as a component of Red Hat OpenShift GitOps 1.4",
"product_id": "8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:70e6fad8c61c08777893e3dc3bbaf3ba4416314bd5e7a6e5436bf25fd2d1b110_amd64"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:70e6fad8c61c08777893e3dc3bbaf3ba4416314bd5e7a6e5436bf25fd2d1b110_amd64",
"relates_to_product_reference": "8Base-GitOps-1.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-31016",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-06-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:374aa562f7af0db1c11766dc2b0e5dd4a76549fee1de40508ea597a0d60ed73b_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:c9aad6e71e7065524dd22dc292ae0f2109d261f5725a26f5a659d7fdb983976c_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:d20149f6061e14edf0214ef2da7018eeb8c90b53d04ce3951429391391e59556_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:d6f784052a3d27884d5b8b5f6cb9f9ac653a0ecf8aa25212345030c3d30ddeba_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:1226d32dfdd148450802a938830a7f1306aa2a78a2e0ce0ff712408511f5f55c_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:70e6fad8c61c08777893e3dc3bbaf3ba4416314bd5e7a6e5436bf25fd2d1b110_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2096283"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ArgoCD, which is vulnerable to an uncontrolled memory consumption bug. A crafted manifest file can lead the ArgoCD\u0027s repo-server component to crash, causing a denial of service. The attacker must be an authenticated user to exploit this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: vulnerable to an uncontrolled memory consumption bug",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:374aa562f7af0db1c11766dc2b0e5dd4a76549fee1de40508ea597a0d60ed73b_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:c9aad6e71e7065524dd22dc292ae0f2109d261f5725a26f5a659d7fdb983976c_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:d20149f6061e14edf0214ef2da7018eeb8c90b53d04ce3951429391391e59556_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:d6f784052a3d27884d5b8b5f6cb9f9ac653a0ecf8aa25212345030c3d30ddeba_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:1226d32dfdd148450802a938830a7f1306aa2a78a2e0ce0ff712408511f5f55c_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:70e6fad8c61c08777893e3dc3bbaf3ba4416314bd5e7a6e5436bf25fd2d1b110_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31016"
},
{
"category": "external",
"summary": "RHBZ#2096283",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096283"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31016",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31016"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31016",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31016"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq"
}
],
"release_date": "2022-06-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-27T12:42:55+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:5153"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argocd: vulnerable to an uncontrolled memory consumption bug"
},
{
"cve": "CVE-2022-31034",
"cwe": {
"id": "CWE-331",
"name": "Insufficient Entropy"
},
"discovery_date": "2022-06-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:374aa562f7af0db1c11766dc2b0e5dd4a76549fee1de40508ea597a0d60ed73b_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:c9aad6e71e7065524dd22dc292ae0f2109d261f5725a26f5a659d7fdb983976c_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:d20149f6061e14edf0214ef2da7018eeb8c90b53d04ce3951429391391e59556_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:d6f784052a3d27884d5b8b5f6cb9f9ac653a0ecf8aa25212345030c3d30ddeba_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:1226d32dfdd148450802a938830a7f1306aa2a78a2e0ce0ff712408511f5f55c_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:70e6fad8c61c08777893e3dc3bbaf3ba4416314bd5e7a6e5436bf25fd2d1b110_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2096282"
}
],
"notes": [
{
"category": "description",
"text": "Several Single sign-on (SSO) vulnerabilities were found in ArgoCD when the login process is initiated via CLI or UI interfaces. The vulnerabilities are related to using insufficiently random value parameters during the login process. This flaw gives the attacker elevated privileges, including the possibility of administrative rights.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:374aa562f7af0db1c11766dc2b0e5dd4a76549fee1de40508ea597a0d60ed73b_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:c9aad6e71e7065524dd22dc292ae0f2109d261f5725a26f5a659d7fdb983976c_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:d20149f6061e14edf0214ef2da7018eeb8c90b53d04ce3951429391391e59556_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:d6f784052a3d27884d5b8b5f6cb9f9ac653a0ecf8aa25212345030c3d30ddeba_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:1226d32dfdd148450802a938830a7f1306aa2a78a2e0ce0ff712408511f5f55c_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:70e6fad8c61c08777893e3dc3bbaf3ba4416314bd5e7a6e5436bf25fd2d1b110_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31034"
},
{
"category": "external",
"summary": "RHBZ#2096282",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096282"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31034",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31034"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31034",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31034"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v"
}
],
"release_date": "2022-06-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-27T12:42:55+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:5153"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI."
},
{
"cve": "CVE-2022-31035",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-06-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:374aa562f7af0db1c11766dc2b0e5dd4a76549fee1de40508ea597a0d60ed73b_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:c9aad6e71e7065524dd22dc292ae0f2109d261f5725a26f5a659d7fdb983976c_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:d20149f6061e14edf0214ef2da7018eeb8c90b53d04ce3951429391391e59556_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:d6f784052a3d27884d5b8b5f6cb9f9ac653a0ecf8aa25212345030c3d30ddeba_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:1226d32dfdd148450802a938830a7f1306aa2a78a2e0ce0ff712408511f5f55c_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:70e6fad8c61c08777893e3dc3bbaf3ba4416314bd5e7a6e5436bf25fd2d1b110_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2096278"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) flaw was found in ArgoCD. This flaw allows a malicious actor to trigger a Cross-site scripting (XSS) vulnerability by storing a link point to a javascript code in ArgoCD UI. A successful attack depends on a user clicking the malicious link and triggering the function available in the UI without the user\u0027s knowledge. The actions done by the malicious code will run with the same victim\u0027s level of access, including administrative privileges, if the victim has this level of permission.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:374aa562f7af0db1c11766dc2b0e5dd4a76549fee1de40508ea597a0d60ed73b_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:c9aad6e71e7065524dd22dc292ae0f2109d261f5725a26f5a659d7fdb983976c_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:d20149f6061e14edf0214ef2da7018eeb8c90b53d04ce3951429391391e59556_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:d6f784052a3d27884d5b8b5f6cb9f9ac653a0ecf8aa25212345030c3d30ddeba_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:1226d32dfdd148450802a938830a7f1306aa2a78a2e0ce0ff712408511f5f55c_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:70e6fad8c61c08777893e3dc3bbaf3ba4416314bd5e7a6e5436bf25fd2d1b110_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31035"
},
{
"category": "external",
"summary": "RHBZ#2096278",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096278"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31035",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31035"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj"
}
],
"release_date": "2022-06-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-27T12:42:55+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:5153"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI"
},
{
"cve": "CVE-2022-31036",
"cwe": {
"id": "CWE-61",
"name": "UNIX Symbolic Link (Symlink) Following"
},
"discovery_date": "2022-06-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:374aa562f7af0db1c11766dc2b0e5dd4a76549fee1de40508ea597a0d60ed73b_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:c9aad6e71e7065524dd22dc292ae0f2109d261f5725a26f5a659d7fdb983976c_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:d20149f6061e14edf0214ef2da7018eeb8c90b53d04ce3951429391391e59556_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:d6f784052a3d27884d5b8b5f6cb9f9ac653a0ecf8aa25212345030c3d30ddeba_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:1226d32dfdd148450802a938830a7f1306aa2a78a2e0ce0ff712408511f5f55c_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:70e6fad8c61c08777893e3dc3bbaf3ba4416314bd5e7a6e5436bf25fd2d1b110_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2096291"
}
],
"notes": [
{
"category": "description",
"text": "A symlink following vulnerability was found in ArgoCD. A malicious user with write access can commit a symlink pointing to a file outside the expected directories. Once the Helm-type application consumes this symlink, the attacker can read the content of the file referenced by the symbolic link, compromising the confidentiality of other projects under the same ArgoCD installation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.4:openshift-gitops-1/applicationset-rhel8@sha256:374aa562f7af0db1c11766dc2b0e5dd4a76549fee1de40508ea597a0d60ed73b_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/dex-rhel8@sha256:c9aad6e71e7065524dd22dc292ae0f2109d261f5725a26f5a659d7fdb983976c_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-operator-bundle@sha256:d20149f6061e14edf0214ef2da7018eeb8c90b53d04ce3951429391391e59556_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8-operator@sha256:d6f784052a3d27884d5b8b5f6cb9f9ac653a0ecf8aa25212345030c3d30ddeba_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/gitops-rhel8@sha256:1226d32dfdd148450802a938830a7f1306aa2a78a2e0ce0ff712408511f5f55c_amd64",
"8Base-GitOps-1.4:openshift-gitops-1/kam-delivery-rhel8@sha256:70e6fad8c61c08777893e3dc3bbaf3ba4416314bd5e7a6e5436bf25fd2d1b110_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31036"
},
{
"category": "external",
"summary": "RHBZ#2096291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31036",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31036"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31036",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31036"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm"
}
],
"release_date": "2022-06-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-27T12:42:55+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:5153"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.4:openshift-gitops-1/argocd-rhel8@sha256:7ee44440267be3c3d435b8097fb612bf5dd6fe0cc17ecfe0ca0bbf9bd136ca25_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access"
}
]
}
rhsa-2022_5192
Vulnerability from csaf_redhat
Published
2022-06-24 20:13
Modified
2024-11-22 19:33
Summary
Red Hat Security Advisory: Red Hat OpenShift GitOps security update
Notes
Topic
An update is now available for Red Hat OpenShift GitOps 1.3.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.
Security Fix(es):
* argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI. (CVE-2022-31034)
* argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI (CVE-2022-31035)
* argocd: vulnerable to an uncontrolled memory consumption bug (CVE-2022-31016)
* argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access (CVE-2022-31036)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat OpenShift GitOps 1.3.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.\n\nSecurity Fix(es):\n\n* argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI. (CVE-2022-31034)\n\n* argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI (CVE-2022-31035)\n\n* argocd: vulnerable to an uncontrolled memory consumption bug (CVE-2022-31016)\n\n* argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access (CVE-2022-31036)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:5192",
"url": "https://access.redhat.com/errata/RHSA-2022:5192"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2096278",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096278"
},
{
"category": "external",
"summary": "2096282",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096282"
},
{
"category": "external",
"summary": "2096283",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096283"
},
{
"category": "external",
"summary": "2096291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096291"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5192.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update",
"tracking": {
"current_release_date": "2024-11-22T19:33:50+00:00",
"generator": {
"date": "2024-11-22T19:33:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2022:5192",
"initial_release_date": "2022-06-24T20:13:56+00:00",
"revision_history": [
{
"date": "2022-06-24T20:13:56+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-06-24T20:13:56+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T19:33:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift GitOps 1.3",
"product": {
"name": "Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_gitops:1.3::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift GitOps"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
"product": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
"product_id": "openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
"product_identification_helper": {
"purl": "pkg:oci/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/applicationset-rhel8\u0026tag=v1.3.11-4"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.3.11-4"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.3.11-4"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.3.11-4"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.3.11-4"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
"product": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
"product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.3.11-4"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.3.11-4"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64"
},
"product_reference": "openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64"
},
"product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64 as a component of Red Hat OpenShift GitOps 1.3",
"product_id": "8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64",
"relates_to_product_reference": "8Base-GitOps-1.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-31016",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-06-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2096283"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ArgoCD, which is vulnerable to an uncontrolled memory consumption bug. A crafted manifest file can lead the ArgoCD\u0027s repo-server component to crash, causing a denial of service. The attacker must be an authenticated user to exploit this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: vulnerable to an uncontrolled memory consumption bug",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31016"
},
{
"category": "external",
"summary": "RHBZ#2096283",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096283"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31016",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31016"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31016",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31016"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq"
}
],
"release_date": "2022-06-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-24T20:13:56+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:5192"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argocd: vulnerable to an uncontrolled memory consumption bug"
},
{
"cve": "CVE-2022-31034",
"cwe": {
"id": "CWE-331",
"name": "Insufficient Entropy"
},
"discovery_date": "2022-06-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2096282"
}
],
"notes": [
{
"category": "description",
"text": "Several Single sign-on (SSO) vulnerabilities were found in ArgoCD when the login process is initiated via CLI or UI interfaces. The vulnerabilities are related to using insufficiently random value parameters during the login process. This flaw gives the attacker elevated privileges, including the possibility of administrative rights.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31034"
},
{
"category": "external",
"summary": "RHBZ#2096282",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096282"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31034",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31034"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31034",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31034"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v"
}
],
"release_date": "2022-06-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-24T20:13:56+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:5192"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI."
},
{
"cve": "CVE-2022-31035",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-06-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2096278"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) flaw was found in ArgoCD. This flaw allows a malicious actor to trigger a Cross-site scripting (XSS) vulnerability by storing a link point to a javascript code in ArgoCD UI. A successful attack depends on a user clicking the malicious link and triggering the function available in the UI without the user\u0027s knowledge. The actions done by the malicious code will run with the same victim\u0027s level of access, including administrative privileges, if the victim has this level of permission.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31035"
},
{
"category": "external",
"summary": "RHBZ#2096278",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096278"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31035",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31035"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj"
}
],
"release_date": "2022-06-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-24T20:13:56+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:5192"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI"
},
{
"cve": "CVE-2022-31036",
"cwe": {
"id": "CWE-61",
"name": "UNIX Symbolic Link (Symlink) Following"
},
"discovery_date": "2022-06-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2096291"
}
],
"notes": [
{
"category": "description",
"text": "A symlink following vulnerability was found in ArgoCD. A malicious user with write access can commit a symlink pointing to a file outside the expected directories. Once the Helm-type application consumes this symlink, the attacker can read the content of the file referenced by the symbolic link, compromising the confidentiality of other projects under the same ArgoCD installation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
"8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31036"
},
{
"category": "external",
"summary": "RHBZ#2096291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31036",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31036"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31036",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31036"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm"
}
],
"release_date": "2022-06-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-24T20:13:56+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:5192"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access"
}
]
}
rhsa-2022_5152
Vulnerability from csaf_redhat
Published
2022-06-22 04:17
Modified
2024-11-22 19:33
Summary
Red Hat Security Advisory: Red Hat OpenShift GitOps security update
Notes
Topic
An update is now available for Red Hat OpenShift GitOps 1.5.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.
Security Fix(es):
* argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI. (CVE-2022-31034)
* argocd: cross-site scripting (XSS) allows a malicious user to inject a javascript link in the UI (CVE-2022-31035)
* argocd: vulnerable to an uncontrolled memory consumption bug (CVE-2022-31016)
* argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access (CVE-2022-31036)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat OpenShift GitOps 1.5.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.\n\nSecurity Fix(es):\n\n* argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI. (CVE-2022-31034)\n\n* argocd: cross-site scripting (XSS) allows a malicious user to inject a javascript link in the UI (CVE-2022-31035)\n\n* argocd: vulnerable to an uncontrolled memory consumption bug (CVE-2022-31016)\n\n* argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access (CVE-2022-31036)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2022:5152",
"url": "https://access.redhat.com/errata/RHSA-2022:5152"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2096278",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096278"
},
{
"category": "external",
"summary": "2096282",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096282"
},
{
"category": "external",
"summary": "2096283",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096283"
},
{
"category": "external",
"summary": "2096291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096291"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5152.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update",
"tracking": {
"current_release_date": "2024-11-22T19:33:33+00:00",
"generator": {
"date": "2024-11-22T19:33:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2022:5152",
"initial_release_date": "2022-06-22T04:17:42+00:00",
"revision_history": [
{
"date": "2022-06-22T04:17:42+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2022-06-22T04:17:42+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T19:33:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift GitOps 1.5",
"product": {
"name": "Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_gitops:1.5::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift GitOps"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/applicationset-rhel8@sha256:c32cac230ef60e253043ba90232e6a920fe31197cd8cd2b1a3e541c84164cb35_amd64",
"product": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:c32cac230ef60e253043ba90232e6a920fe31197cd8cd2b1a3e541c84164cb35_amd64",
"product_id": "openshift-gitops-1/applicationset-rhel8@sha256:c32cac230ef60e253043ba90232e6a920fe31197cd8cd2b1a3e541c84164cb35_amd64",
"product_identification_helper": {
"purl": "pkg:oci/applicationset-rhel8@sha256:c32cac230ef60e253043ba90232e6a920fe31197cd8cd2b1a3e541c84164cb35?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/applicationset-rhel8\u0026tag=v1.5.3-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.5.3-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:2dd15519967981129832c3e3e96ac9683c0157aecb5e313b2318ff240b603436_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:2dd15519967981129832c3e3e96ac9683c0157aecb5e313b2318ff240b603436_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:2dd15519967981129832c3e3e96ac9683c0157aecb5e313b2318ff240b603436_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:2dd15519967981129832c3e3e96ac9683c0157aecb5e313b2318ff240b603436?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.5.3-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:3f8f609c488d05bea419632ec86f5a83c1fb611bf88e7c931e755a4893efa027_amd64",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:3f8f609c488d05bea419632ec86f5a83c1fb611bf88e7c931e755a4893efa027_amd64",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:3f8f609c488d05bea419632ec86f5a83c1fb611bf88e7c931e755a4893efa027_amd64",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:3f8f609c488d05bea419632ec86f5a83c1fb611bf88e7c931e755a4893efa027?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.5.3-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:fa82c04304f176057c18218c35dd80a7bd8b3dcb651af36ff8392993a8b0a259_amd64",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:fa82c04304f176057c18218c35dd80a7bd8b3dcb651af36ff8392993a8b0a259_amd64",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:fa82c04304f176057c18218c35dd80a7bd8b3dcb651af36ff8392993a8b0a259_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:fa82c04304f176057c18218c35dd80a7bd8b3dcb651af36ff8392993a8b0a259?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.5.3-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:2e0f97c28dcfadc2c754a2297939c29742ad0e61ecda56f315c5d85d6283ac51_amd64",
"product": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:2e0f97c28dcfadc2c754a2297939c29742ad0e61ecda56f315c5d85d6283ac51_amd64",
"product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:2e0f97c28dcfadc2c754a2297939c29742ad0e61ecda56f315c5d85d6283ac51_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-operator-bundle@sha256:2e0f97c28dcfadc2c754a2297939c29742ad0e61ecda56f315c5d85d6283ac51?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.5.3-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:cfc34d0e2602de2c9585a0d7c02e86cb45790ec84f0f90cedc40f684b83bd3e3_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:cfc34d0e2602de2c9585a0d7c02e86cb45790ec84f0f90cedc40f684b83bd3e3_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:cfc34d0e2602de2c9585a0d7c02e86cb45790ec84f0f90cedc40f684b83bd3e3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:cfc34d0e2602de2c9585a0d7c02e86cb45790ec84f0f90cedc40f684b83bd3e3?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.5.3-2"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:c32cac230ef60e253043ba90232e6a920fe31197cd8cd2b1a3e541c84164cb35_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:c32cac230ef60e253043ba90232e6a920fe31197cd8cd2b1a3e541c84164cb35_amd64"
},
"product_reference": "openshift-gitops-1/applicationset-rhel8@sha256:c32cac230ef60e253043ba90232e6a920fe31197cd8cd2b1a3e541c84164cb35_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:3f8f609c488d05bea419632ec86f5a83c1fb611bf88e7c931e755a4893efa027_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:3f8f609c488d05bea419632ec86f5a83c1fb611bf88e7c931e755a4893efa027_amd64"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:3f8f609c488d05bea419632ec86f5a83c1fb611bf88e7c931e755a4893efa027_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:2e0f97c28dcfadc2c754a2297939c29742ad0e61ecda56f315c5d85d6283ac51_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2e0f97c28dcfadc2c754a2297939c29742ad0e61ecda56f315c5d85d6283ac51_amd64"
},
"product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:2e0f97c28dcfadc2c754a2297939c29742ad0e61ecda56f315c5d85d6283ac51_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:cfc34d0e2602de2c9585a0d7c02e86cb45790ec84f0f90cedc40f684b83bd3e3_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:cfc34d0e2602de2c9585a0d7c02e86cb45790ec84f0f90cedc40f684b83bd3e3_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:cfc34d0e2602de2c9585a0d7c02e86cb45790ec84f0f90cedc40f684b83bd3e3_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:2dd15519967981129832c3e3e96ac9683c0157aecb5e313b2318ff240b603436_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:2dd15519967981129832c3e3e96ac9683c0157aecb5e313b2318ff240b603436_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:2dd15519967981129832c3e3e96ac9683c0157aecb5e313b2318ff240b603436_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:fa82c04304f176057c18218c35dd80a7bd8b3dcb651af36ff8392993a8b0a259_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:fa82c04304f176057c18218c35dd80a7bd8b3dcb651af36ff8392993a8b0a259_amd64"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:fa82c04304f176057c18218c35dd80a7bd8b3dcb651af36ff8392993a8b0a259_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-31016",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2022-06-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:c32cac230ef60e253043ba90232e6a920fe31197cd8cd2b1a3e541c84164cb35_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:3f8f609c488d05bea419632ec86f5a83c1fb611bf88e7c931e755a4893efa027_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2e0f97c28dcfadc2c754a2297939c29742ad0e61ecda56f315c5d85d6283ac51_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:cfc34d0e2602de2c9585a0d7c02e86cb45790ec84f0f90cedc40f684b83bd3e3_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:2dd15519967981129832c3e3e96ac9683c0157aecb5e313b2318ff240b603436_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:fa82c04304f176057c18218c35dd80a7bd8b3dcb651af36ff8392993a8b0a259_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2096283"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ArgoCD, which is vulnerable to an uncontrolled memory consumption bug. A crafted manifest file can lead the ArgoCD\u0027s repo-server component to crash, causing a denial of service. The attacker must be an authenticated user to exploit this vulnerability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: vulnerable to an uncontrolled memory consumption bug",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:c32cac230ef60e253043ba90232e6a920fe31197cd8cd2b1a3e541c84164cb35_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:3f8f609c488d05bea419632ec86f5a83c1fb611bf88e7c931e755a4893efa027_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2e0f97c28dcfadc2c754a2297939c29742ad0e61ecda56f315c5d85d6283ac51_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:cfc34d0e2602de2c9585a0d7c02e86cb45790ec84f0f90cedc40f684b83bd3e3_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:2dd15519967981129832c3e3e96ac9683c0157aecb5e313b2318ff240b603436_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:fa82c04304f176057c18218c35dd80a7bd8b3dcb651af36ff8392993a8b0a259_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31016"
},
{
"category": "external",
"summary": "RHBZ#2096283",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096283"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31016",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31016"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31016",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31016"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq"
}
],
"release_date": "2022-06-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-22T04:17:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:5152"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argocd: vulnerable to an uncontrolled memory consumption bug"
},
{
"cve": "CVE-2022-31034",
"cwe": {
"id": "CWE-331",
"name": "Insufficient Entropy"
},
"discovery_date": "2022-06-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:c32cac230ef60e253043ba90232e6a920fe31197cd8cd2b1a3e541c84164cb35_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:3f8f609c488d05bea419632ec86f5a83c1fb611bf88e7c931e755a4893efa027_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2e0f97c28dcfadc2c754a2297939c29742ad0e61ecda56f315c5d85d6283ac51_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:cfc34d0e2602de2c9585a0d7c02e86cb45790ec84f0f90cedc40f684b83bd3e3_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:2dd15519967981129832c3e3e96ac9683c0157aecb5e313b2318ff240b603436_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:fa82c04304f176057c18218c35dd80a7bd8b3dcb651af36ff8392993a8b0a259_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2096282"
}
],
"notes": [
{
"category": "description",
"text": "Several Single sign-on (SSO) vulnerabilities were found in ArgoCD when the login process is initiated via CLI or UI interfaces. The vulnerabilities are related to using insufficiently random value parameters during the login process. This flaw gives the attacker elevated privileges, including the possibility of administrative rights.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:c32cac230ef60e253043ba90232e6a920fe31197cd8cd2b1a3e541c84164cb35_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:3f8f609c488d05bea419632ec86f5a83c1fb611bf88e7c931e755a4893efa027_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2e0f97c28dcfadc2c754a2297939c29742ad0e61ecda56f315c5d85d6283ac51_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:cfc34d0e2602de2c9585a0d7c02e86cb45790ec84f0f90cedc40f684b83bd3e3_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:2dd15519967981129832c3e3e96ac9683c0157aecb5e313b2318ff240b603436_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:fa82c04304f176057c18218c35dd80a7bd8b3dcb651af36ff8392993a8b0a259_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31034"
},
{
"category": "external",
"summary": "RHBZ#2096282",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096282"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31034",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31034"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31034",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31034"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v"
}
],
"release_date": "2022-06-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-22T04:17:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:5152"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI."
},
{
"cve": "CVE-2022-31035",
"cwe": {
"id": "CWE-80",
"name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
},
"discovery_date": "2022-06-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:c32cac230ef60e253043ba90232e6a920fe31197cd8cd2b1a3e541c84164cb35_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:3f8f609c488d05bea419632ec86f5a83c1fb611bf88e7c931e755a4893efa027_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2e0f97c28dcfadc2c754a2297939c29742ad0e61ecda56f315c5d85d6283ac51_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:cfc34d0e2602de2c9585a0d7c02e86cb45790ec84f0f90cedc40f684b83bd3e3_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:2dd15519967981129832c3e3e96ac9683c0157aecb5e313b2318ff240b603436_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:fa82c04304f176057c18218c35dd80a7bd8b3dcb651af36ff8392993a8b0a259_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2096278"
}
],
"notes": [
{
"category": "description",
"text": "A Cross-site scripting (XSS) flaw was found in ArgoCD. This flaw allows a malicious actor to trigger a Cross-site scripting (XSS) vulnerability by storing a link point to a javascript code in ArgoCD UI. A successful attack depends on a user clicking the malicious link and triggering the function available in the UI without the user\u0027s knowledge. The actions done by the malicious code will run with the same victim\u0027s level of access, including administrative privileges, if the victim has this level of permission.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:c32cac230ef60e253043ba90232e6a920fe31197cd8cd2b1a3e541c84164cb35_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:3f8f609c488d05bea419632ec86f5a83c1fb611bf88e7c931e755a4893efa027_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2e0f97c28dcfadc2c754a2297939c29742ad0e61ecda56f315c5d85d6283ac51_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:cfc34d0e2602de2c9585a0d7c02e86cb45790ec84f0f90cedc40f684b83bd3e3_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:2dd15519967981129832c3e3e96ac9683c0157aecb5e313b2318ff240b603436_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:fa82c04304f176057c18218c35dd80a7bd8b3dcb651af36ff8392993a8b0a259_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31035"
},
{
"category": "external",
"summary": "RHBZ#2096278",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096278"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31035",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31035"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31035",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31035"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj"
}
],
"release_date": "2022-06-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-22T04:17:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:5152"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI"
},
{
"cve": "CVE-2022-31036",
"cwe": {
"id": "CWE-61",
"name": "UNIX Symbolic Link (Symlink) Following"
},
"discovery_date": "2022-06-13T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:c32cac230ef60e253043ba90232e6a920fe31197cd8cd2b1a3e541c84164cb35_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:3f8f609c488d05bea419632ec86f5a83c1fb611bf88e7c931e755a4893efa027_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2e0f97c28dcfadc2c754a2297939c29742ad0e61ecda56f315c5d85d6283ac51_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:cfc34d0e2602de2c9585a0d7c02e86cb45790ec84f0f90cedc40f684b83bd3e3_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:2dd15519967981129832c3e3e96ac9683c0157aecb5e313b2318ff240b603436_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:fa82c04304f176057c18218c35dd80a7bd8b3dcb651af36ff8392993a8b0a259_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2096291"
}
],
"notes": [
{
"category": "description",
"text": "A symlink following vulnerability was found in ArgoCD. A malicious user with write access can commit a symlink pointing to a file outside the expected directories. Once the Helm-type application consumes this symlink, the attacker can read the content of the file referenced by the symbolic link, compromising the confidentiality of other projects under the same ArgoCD installation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:c32cac230ef60e253043ba90232e6a920fe31197cd8cd2b1a3e541c84164cb35_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:3f8f609c488d05bea419632ec86f5a83c1fb611bf88e7c931e755a4893efa027_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:2e0f97c28dcfadc2c754a2297939c29742ad0e61ecda56f315c5d85d6283ac51_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:cfc34d0e2602de2c9585a0d7c02e86cb45790ec84f0f90cedc40f684b83bd3e3_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:2dd15519967981129832c3e3e96ac9683c0157aecb5e313b2318ff240b603436_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:fa82c04304f176057c18218c35dd80a7bd8b3dcb651af36ff8392993a8b0a259_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2022-31036"
},
{
"category": "external",
"summary": "RHBZ#2096291",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096291"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2022-31036",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-31036"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31036",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31036"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm"
}
],
"release_date": "2022-06-15T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2022-06-22T04:17:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2022:5152"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:4974bab59e181b13139d0e3d9539f6b0fa7b984aeb2561409b1dad0da28d983b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access"
}
]
}
ghsa-2m7h-86qq-fp4v
Vulnerability from github
Published
2022-06-21 20:03
Modified
2022-06-21 20:03
Severity ?
Summary
Insecure entropy in Argo CD's PKCE/Oauth2/OIDC params
Details
Impact
All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. (The specific weak parameters are listed in the References section.)
The attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact (potentially granting an attacker admin access to Argo CD). The CVSS for this Security Advisory assumes the worst-case scenario.
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
- v2.4.1
- v2.3.5
- v2.2.10
- v2.1.16
Workarounds
There are no workarounds. You must upgrade to a patched version to resolve the vulnerability.
References
These are the insufficiently-random parameters:
- (since 0.11.0) The
stateparameter generated by theargocd logincommand for Oauth2 login used a non-cryptographically secure source of entropy and generated a parameter that was too short to provide the entropy required in the spec. This parameter is a "recommended" part of the Oauth2 flow and helps protect against cross-site request forgery attacks. - (since 1.7.2, when PKCE was added) The
code_verifierparameter generated by theargocd logincommand for Oauth2+PKCE login used a non-cryptographically secure source of entropy. The attacks mitigated by PKCE are complex but have been observed in the wild. - (since 0.11.0) The
stateparameter generated by the Argo CD API server during a UI-initiated Oauth2 login used a non-cryptographically secure source of entropy and generated a parameter that was too short to provide the entropy required in the spec. This parameter is a "recommended" part of the Oauth2 flow and helps protect against cross-site request forgery attacks. - (since 0.11.0) The
nonceparameter generated by the Argo CD API server during a UI-initiated Oauth2 implicit flow login used a non-cryptographically secure source of entropy and generated a parameter that was too short to provide sufficient entropy. This parameter is a required part of the OIDC implicit login flow and helps protect against replay attacks.
Credits
Originally discovered by @jgwest. @jannfis and @crenshaw-dev re-discovered the vulnerability when reviewing notes from ADA Logics' security audit of the Argo project sponsored by CNCF and facilitated by OSTIF. Thanks to Adam Korczynski and David Korczynski for their work on the audit.
For more information
- Open an issue in the Argo CD issue tracker or discussions
- Join us on Slack in channel #argo-cd
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.8.7"
},
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd"
},
"ranges": [
{
"events": [
{
"introduced": "0.11.0"
},
{
"fixed": "2.1.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd/v2"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.4.0"
]
}
],
"aliases": [
"CVE-2022-31034"
],
"database_specific": {
"cwe_ids": [
"CWE-330",
"CWE-331"
],
"github_reviewed": true,
"github_reviewed_at": "2022-06-21T20:03:23Z",
"nvd_published_at": "2022-06-27T19:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nAll versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. (The specific weak parameters are listed in the References section.)\n\nThe attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact (potentially granting an attacker admin access to Argo CD). The CVSS for this Security Advisory assumes the worst-case scenario.\n\n### Patches\n\nA patch for this vulnerability has been released in the following Argo CD versions:\n\n* v2.4.1\n* v2.3.5\n* v2.2.10\n* v2.1.16\n\n### Workarounds\n\nThere are no workarounds. You must upgrade to a patched version to resolve the vulnerability.\n\n### References\n\nThese are the insufficiently-random parameters:\n\n1. (since 0.11.0) The [`state` parameter](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) generated by the `argocd login` command for Oauth2 login used a non-cryptographically secure source of entropy and generated a parameter that was too short to provide the entropy [required in the spec](https://datatracker.ietf.org/doc/html/rfc6749#section-10.10). This parameter is a \"recommended\" part of the Oauth2 flow and helps protect against cross-site request forgery attacks.\n2. (since 1.7.2, when PKCE was added) The [`code_verifier` parameter](https://datatracker.ietf.org/doc/html/rfc7636#section-4.1) generated by the `argocd login` command for Oauth2+PKCE login used a non-cryptographically secure source of entropy. The attacks mitigated by PKCE [are complex but have been observed in the wild](https://datatracker.ietf.org/doc/html/rfc7636#section-1).\n3. (since 0.11.0) The [`state` parameter](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1) generated by the Argo CD API server during a UI-initiated Oauth2 login used a non-cryptographically secure source of entropy and generated a parameter that was too short to provide the entropy [required in the spec](https://datatracker.ietf.org/doc/html/rfc6749#section-10.10). This parameter is a \"recommended\" part of the Oauth2 flow and helps protect against cross-site request forgery attacks.\n4. (since 0.11.0) The [`nonce` parameter](https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest) generated by the Argo CD API server during a UI-initiated Oauth2 implicit flow login used a non-cryptographically secure source of entropy and generated a parameter that was too short to provide sufficient entropy. This parameter is a required part of the OIDC implicit login flow and helps protect against replay attacks.\n\n### Credits\n\nOriginally discovered by @jgwest. @jannfis and @crenshaw-dev re-discovered the vulnerability when reviewing notes from ADA Logics\u0027 security audit of the Argo project sponsored by CNCF and facilitated by OSTIF. Thanks to Adam Korczynski and David Korczynski for their work on the audit.\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n",
"id": "GHSA-2m7h-86qq-fp4v",
"modified": "2022-06-21T20:03:23Z",
"published": "2022-06-21T20:03:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31034"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/17f7f4f462bdb233e1b9b36f67099f41052d8cb0"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj/argo-cd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Insecure entropy in Argo CD\u0027s PKCE/Oauth2/OIDC params"
}
gsd-2022-31034
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. The attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact potentially granting an attacker admin access to Argo CD. Patches for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no known workarounds for this vulnerability.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-31034",
"description": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. The attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact potentially granting an attacker admin access to Argo CD. Patches for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no known workarounds for this vulnerability.",
"id": "GSD-2022-31034",
"references": [
"https://access.redhat.com/errata/RHSA-2022:5152",
"https://access.redhat.com/errata/RHSA-2022:5187",
"https://access.redhat.com/errata/RHSA-2022:5192",
"https://access.redhat.com/errata/RHSA-2022:5153"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-31034"
],
"details": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. The attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact potentially granting an attacker admin access to Argo CD. Patches for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no known workarounds for this vulnerability.",
"id": "GSD-2022-31034",
"modified": "2023-12-13T01:19:17.758289Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31034",
"STATE": "PUBLIC",
"TITLE": "Insecure entropy in argo-cd"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "argo-cd",
"version": {
"version_data": [
{
"version_value": "\u003e= 0.11.0, \u003c 2.1.16"
},
{
"version_value": "\u003e= 2.2.0, \u003c 2.2.10"
},
{
"version_value": "\u003e= 2.3.0, \u003c 2.3.5"
},
{
"version_value": "\u003e= 2.4.0, \u003c 2.4.1"
}
]
}
}
]
},
"vendor_name": "argoproj"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. The attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact potentially granting an attacker admin access to Argo CD. Patches for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no known workarounds for this vulnerability."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-330: Use of Insufficiently Random Values"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v",
"refsource": "CONFIRM",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v"
},
{
"name": "https://github.com/argoproj/argo-cd/commit/17f7f4f462bdb233e1b9b36f67099f41052d8cb0",
"refsource": "MISC",
"url": "https://github.com/argoproj/argo-cd/commit/17f7f4f462bdb233e1b9b36f67099f41052d8cb0"
}
]
},
"source": {
"advisory": "GHSA-2m7h-86qq-fp4v",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=v0.11.0 \u003c=v1.8.7",
"affected_versions": "All versions starting from 0.11.0 up to 1.8.7",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-06-23",
"description": "### Impact\n\nAll versions of Argo CD starting with v0.11.0 is vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices.",
"fixed_versions": [
"v2.1.16"
],
"identifier": "GMS-2022-2554",
"identifiers": [
"GHSA-2m7h-86qq-fp4v",
"GMS-2022-2554",
"CVE-2022-31034"
],
"not_impacted": "All versions before 0.11.0, all versions after 1.8.7",
"package_slug": "go/github.com/argoproj/argo-cd",
"pubdate": "2022-06-21",
"solution": "Upgrade to version 2.1.16 or above.",
"title": "Insecure entropy in Argo CD\u0027s PKCE/Oauth2/OIDC params",
"urls": [
"https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v",
"https://github.com/advisories/GHSA-2m7h-86qq-fp4v"
],
"uuid": "454e5db0-cef8-4c50-81b8-eb9313f77e1b",
"versions": [
{
"commit": {
"sha": "71b646dfaedfdbab9e83d314f1b76287561a18e1",
"tags": [
"v0.11.0"
],
"timestamp": "20190110231421"
},
"number": "v0.11.0"
},
{
"commit": {
"sha": "eb3d1fb84b9b77cdffd70b14c4f949f1c64a9416",
"tags": [
"v1.8.7"
],
"timestamp": "20210303070237"
},
"number": "v1.8.7"
},
{
"commit": {
"sha": "903db5fe464032bd5a10bf32fe17639e76634c2a",
"tags": [
"v2.1.16"
],
"timestamp": "20220621161926"
},
"number": "v2.1.16"
}
]
},
{
"affected_range": "\u003cv2.1.16 || \u003e=v2.2.0 \u003cv2.2.10 || \u003e=v2.3.0 \u003cv2.3.5 || =v2.4.0",
"affected_versions": "All versions before 2.1.16, all versions starting from 2.2.0 before 2.2.10, all versions starting from 2.3.0 before 2.3.5, version 2.4.0",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2022-06-23",
"description": "All versions of Argo CD starting with v0.11.0 is vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows.",
"fixed_versions": [
"v2.1.16",
"v2.2.10",
"v2.3.5",
"v2.4.1"
],
"identifier": "GMS-2022-2558",
"identifiers": [
"GHSA-2m7h-86qq-fp4v",
"GMS-2022-2558",
"CVE-2022-31034"
],
"not_impacted": "All versions starting from 2.1.16 before 2.2.0, all versions starting from 2.2.10 before 2.3.0, all versions starting from 2.3.5 before 2.4.0, all versions after 2.4.0",
"package_slug": "go/github.com/argoproj/argo-cd/v2",
"pubdate": "2022-06-21",
"solution": "Upgrade to versions 2.1.16, 2.2.10, 2.3.5, 2.4.1 or above.",
"title": "Insecure entropy in Argo CD\u0027s PKCE/Oauth2/OIDC params",
"urls": [
"https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v",
"https://github.com/advisories/GHSA-2m7h-86qq-fp4v"
],
"uuid": "56b708be-4750-4ea9-ba85-e93df4c2b146",
"versions": [
{
"commit": {
"sha": "6da92a8e8103ce4145bb0fe2b7e952be79c9ff0a",
"tags": [
"v2.2.0"
],
"timestamp": "20211214180104"
},
"number": "v2.2.0"
},
{
"commit": {
"sha": "fe427802293b090f43f91f5839393174df6c3b3a",
"tags": [
"v2.3.0"
],
"timestamp": "20220306061859"
},
"number": "v2.3.0"
},
{
"commit": {
"sha": "91aefabc5b213a258ddcfe04b8e69bb4a2dd2566",
"tags": [
"stable",
"v2.4.0"
],
"timestamp": "20220610171343"
},
"number": "v2.4.0"
},
{
"commit": {
"sha": "903db5fe464032bd5a10bf32fe17639e76634c2a",
"tags": [
"v2.1.16"
],
"timestamp": "20220621161926"
},
"number": "v2.1.16"
},
{
"commit": {
"sha": "8db0e57b738ff5b0b276031573576fdc3498c04f",
"tags": [
"v2.2.10"
],
"timestamp": "20220621162737"
},
"number": "v2.2.10"
},
{
"commit": {
"sha": "52e6025f8b565705025d029e8bed36d6caa5ecf7",
"tags": [
"v2.4.1"
],
"timestamp": "20220621162747"
},
"number": "v2.4.1"
},
{
"commit": {
"sha": "1287d24bfe47bcaa6e791e5ff12fa1c1bf57a442",
"tags": [
"v2.3.5"
],
"timestamp": "20220621162823"
},
"number": "v2.3.5"
}
]
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:2.3.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:2.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:2.2.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.1.16",
"versionStartIncluding": "0.11.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31034"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. The attacks on login flows which are meant to be mitigated by these parameters are difficult to accomplish but can have a high impact potentially granting an attacker admin access to Argo CD. Patches for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. There are no known workarounds for this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-331"
},
{
"lang": "en",
"value": "CWE-335"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/argoproj/argo-cd/commit/17f7f4f462bdb233e1b9b36f67099f41052d8cb0",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/argoproj/argo-cd/commit/17f7f4f462bdb233e1b9b36f67099f41052d8cb0"
},
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-07-21T17:09Z",
"publishedDate": "2022-06-27T19:15Z"
}
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.