Action not permitted
Modal body text goes here.
cve-2023-22482
Vulnerability from cvelistv5
Published
2023-01-25 18:25
Modified
2024-08-02 10:13
Severity
Summary
JWT audience claim is not verified
References
| Source | URL | Tags |
|---|---|---|
| security-advisories@github.com | https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc | Patch, Third Party Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:48.469Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.8.2, \u003c 2.3.13"
},
{
"status": "affected",
"version": "\u003e= 2.4.0-rc1, \u003c 2.4.19"
},
{
"status": "affected",
"version": "\u003e= 2.5.0-rc1, \u003c 2.5.6"
},
{
"status": "affected",
"version": "\u003e= 2.6.0-rc1, \u003c 2.6.0-rc3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD\u0027s configured OIDC provider. But Argo CD _does not_ validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD\u0027s configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token\u0027s `groups` claim, even though those groups were not intended to be used by Argo CD. This bug also increases the impact of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD. A patch for this vulnerability has been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13. There are no workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-25T18:25:15.287Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc"
}
],
"source": {
"advisory": "GHSA-q9hr-j4rf-8fjc",
"discovery": "UNKNOWN"
},
"title": "JWT audience claim is not verified"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22482",
"datePublished": "2023-01-25T18:25:15.287Z",
"dateReserved": "2022-12-29T17:41:28.088Z",
"dateUpdated": "2024-08-02T10:13:48.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-22482\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-01-26T21:18:12.213\",\"lastModified\":\"2024-08-07T15:43:51.540\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD\u0027s configured OIDC provider. But Argo CD _does not_ validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD\u0027s configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token\u0027s `groups` claim, even though those groups were not intended to be used by Argo CD. This bug also increases the impact of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD. A patch for this vulnerability has been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13. There are no workarounds.\"},{\"lang\":\"es\",\"value\":\"Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. Las versiones de Argo CD que comienzan con v1.8.2 y anteriores a 2.3.13, 2.4.19, 2.5.6 y 2.6.0-rc-3 son vulnerables a un error de autorizaci\u00f3n incorrecta que hace que la API acepte ciertos tokens no v\u00e1lidos. Los proveedores de OIDC incluyen un reclamo \\\"aud\\\" (audiencia) en tokens firmados. El valor de esa afirmaci\u00f3n especifica la(s) audiencia(s) prevista(s) del token (es decir, el servicio o servicios que deben aceptar el token). Argo CD _valida_ que el token fue firmado por el proveedor OIDC configurado de Argo CD. Pero Argo CD _no_ valida el reclamo de audiencia, por lo que aceptar\u00e1 tokens que no est\u00e9n destinados a Argo CD. Si el proveedor OIDC configurado de Argo CD tambi\u00e9n atiende a otras audiencias (por ejemplo, un servicio de almacenamiento de archivos), entonces Argo CD aceptar\u00e1 un token destinado a una de esas otras audiencias. Argo CD otorgar\u00e1 privilegios de usuario seg\u00fan el reclamo de \\\"grupos\\\" del token, aunque esos grupos no estaban destinados a ser utilizados por Argo CD. Este error tambi\u00e9n aumenta el impacto de un token robado. Si un atacante roba un token v\u00e1lido para una audiencia diferente, puede usarlo para acceder a Argo CD. Se lanz\u00f3 un parche para esta vulnerabilidad en las versiones 2.6.0-rc3, 2.5.6, 2.4.19 y 2.3.13. No hay workarounds.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":2.2,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.8.2\",\"versionEndExcluding\":\"2.3.14\",\"matchCriteriaId\":\"2BB2E66B-3691-4FD9-8984-6EF63E49B39C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.4.0\",\"versionEndExcluding\":\"2.4.20\",\"matchCriteriaId\":\"5774C53F-D6CB-4F87-A192-35BC3CA11D5E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.5.0\",\"versionEndExcluding\":\"2.5.8\",\"matchCriteriaId\":\"7508D913-6A85-47EB-97D8-E31F35CC6188\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.6.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4E9E8774-D703-4CE5-8B90-EE3CD7A45005\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.6.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"EC71D67C-2326-401A-AB60-961A3C500FDC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.6.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F78053BA-9B03-4831-881A-8C71C8B583D8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.6.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"F5C06F6A-AB8A-4633-912E-B07046ECF5C8\"}]}]}],\"references\":[{\"url\":\"https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
}
}
rhsa-2023_0468
Vulnerability from csaf_redhat
Published
2023-01-25 20:48
Modified
2024-09-16 10:08
Summary
Red Hat Security Advisory: Red Hat OpenShift GitOps security update
Notes
Topic
An update is now available for Red Hat OpenShift GitOps 1.5.9
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.
Security Fix(es):
* ArgoCD: JWT audience claim is not verified (CVE-2023-22482)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat OpenShift GitOps 1.5.9\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.\n\nSecurity Fix(es):\n\n* ArgoCD: JWT audience claim is not verified (CVE-2023-22482)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0468",
"url": "https://access.redhat.com/errata/RHSA-2023:0468"
},
{
"category": "external",
"summary": "https://docs.openshift.com/container-platform/latest/cicd/gitops/understanding-openshift-gitops.html",
"url": "https://docs.openshift.com/container-platform/latest/cicd/gitops/understanding-openshift-gitops.html"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2160492",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160492"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_0468.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update",
"tracking": {
"current_release_date": "2024-09-16T10:08:28+00:00",
"generator": {
"date": "2024-09-16T10:08:28+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHSA-2023:0468",
"initial_release_date": "2023-01-25T20:48:55+00:00",
"revision_history": [
{
"date": "2023-01-25T20:48:55+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-25T20:48:55+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-16T10:08:28+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift GitOps 1.5",
"product": {
"name": "Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_gitops:1.5::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift GitOps"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80_amd64",
"product": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80_amd64",
"product_id": "openshift-gitops-1/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80_amd64",
"product_identification_helper": {
"purl": "pkg:oci/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/applicationset-rhel8\u0026tag=v1.5.9-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.5.9-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.5.9-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39_amd64",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39_amd64",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39_amd64",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.5.9-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac_amd64",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac_amd64",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.5.9-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12_amd64",
"product": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12_amd64",
"product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.5.9-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.5.9-2"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80_amd64"
},
"product_reference": "openshift-gitops-1/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39_amd64"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12_amd64"
},
"product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac_amd64"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-22482",
"discovery_date": "2023-01-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160492"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ArgoCD. GitOps is vulnerable to an improper authorization bug where the API may accept invalid tokens. ID providers include an audience claim in signed tokens, which may be used to restrict which services can accept the token. ArgoCD doesn\u0027t properly validate the audience claim in such scenarios; if the ID provider used with ArgoCD is also being used with other audiences, it will accept tokens that may not be intended to access the ArgoCD cluster.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ArgoCD: JWT audience claim is not verified",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-22482"
},
{
"category": "external",
"summary": "RHBZ#2160492",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160492"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-22482",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22482"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-22482",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22482"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc"
}
],
"release_date": "2023-01-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0468"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ArgoCD: JWT audience claim is not verified"
}
]
}
rhsa-2023_0466
Vulnerability from csaf_redhat
Published
2023-01-25 20:28
Modified
2024-09-16 10:08
Summary
Red Hat Security Advisory: Red Hat OpenShift GitOps security update
Notes
Topic
An update is now available for Red Hat OpenShift GitOps 1.6.4
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.
Security Fix(es):
* ArgoCD: JWT audience claim is not verified (CVE-2023-22482)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat OpenShift GitOps 1.6.4\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.\n\nSecurity Fix(es):\n\n* ArgoCD: JWT audience claim is not verified (CVE-2023-22482)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0466",
"url": "https://access.redhat.com/errata/RHSA-2023:0466"
},
{
"category": "external",
"summary": "https://docs.openshift.com/container-platform/latest/cicd/gitops/understanding-openshift-gitops.html",
"url": "https://docs.openshift.com/container-platform/latest/cicd/gitops/understanding-openshift-gitops.html"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2160492",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160492"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_0466.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update",
"tracking": {
"current_release_date": "2024-09-16T10:08:38+00:00",
"generator": {
"date": "2024-09-16T10:08:38+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHSA-2023:0466",
"initial_release_date": "2023-01-25T20:28:24+00:00",
"revision_history": [
{
"date": "2023-01-25T20:28:24+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-25T20:28:24+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-16T10:08:38+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift GitOps 1.6",
"product": {
"name": "Red Hat OpenShift GitOps 1.6",
"product_id": "8Base-GitOps-1.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_gitops:1.6::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift GitOps"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:c93f9f51ae0dbd0d09332acb52efd6d0663b28760c3f4002a895f183b0b108cd_ppc64le",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:c93f9f51ae0dbd0d09332acb52efd6d0663b28760c3f4002a895f183b0b108cd_ppc64le",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:c93f9f51ae0dbd0d09332acb52efd6d0663b28760c3f4002a895f183b0b108cd_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:c93f9f51ae0dbd0d09332acb52efd6d0663b28760c3f4002a895f183b0b108cd?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.6.4-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:670fc4b628570d01de9c129d3ad8baa57f00501074b0c3ce6781a8665d2e8f97_ppc64le",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:670fc4b628570d01de9c129d3ad8baa57f00501074b0c3ce6781a8665d2e8f97_ppc64le",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:670fc4b628570d01de9c129d3ad8baa57f00501074b0c3ce6781a8665d2e8f97_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:670fc4b628570d01de9c129d3ad8baa57f00501074b0c3ce6781a8665d2e8f97?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.6.4-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:16ab1b532a1b16e3de8cb5d4951444b1ab4c02b357c3f1e29ee81ba283e5e929_ppc64le",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:16ab1b532a1b16e3de8cb5d4951444b1ab4c02b357c3f1e29ee81ba283e5e929_ppc64le",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:16ab1b532a1b16e3de8cb5d4951444b1ab4c02b357c3f1e29ee81ba283e5e929_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:16ab1b532a1b16e3de8cb5d4951444b1ab4c02b357c3f1e29ee81ba283e5e929?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.6.4-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:71314cc8315eccd746b0527442c7307b9758e90ac3ab2c1026df33b35a46d308_ppc64le",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:71314cc8315eccd746b0527442c7307b9758e90ac3ab2c1026df33b35a46d308_ppc64le",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:71314cc8315eccd746b0527442c7307b9758e90ac3ab2c1026df33b35a46d308_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:71314cc8315eccd746b0527442c7307b9758e90ac3ab2c1026df33b35a46d308?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.6.4-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:2ff93a530f9d58f0eec72d5dc229f70f830a2b52ee6ec0df25169cd2f94a4ae3_ppc64le",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:2ff93a530f9d58f0eec72d5dc229f70f830a2b52ee6ec0df25169cd2f94a4ae3_ppc64le",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:2ff93a530f9d58f0eec72d5dc229f70f830a2b52ee6ec0df25169cd2f94a4ae3_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:2ff93a530f9d58f0eec72d5dc229f70f830a2b52ee6ec0df25169cd2f94a4ae3?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.6.4-3"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:a0b0614edfeb29f866cf0939f907a0dc65319b35222d5b020bcdce6ce0d507ee_s390x",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:a0b0614edfeb29f866cf0939f907a0dc65319b35222d5b020bcdce6ce0d507ee_s390x",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:a0b0614edfeb29f866cf0939f907a0dc65319b35222d5b020bcdce6ce0d507ee_s390x",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:a0b0614edfeb29f866cf0939f907a0dc65319b35222d5b020bcdce6ce0d507ee?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.6.4-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:7b7ddc4e33b4279dfbed5c7efd17f2c3381cdaaf3fe550fe39ec980dca21a7c9_s390x",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:7b7ddc4e33b4279dfbed5c7efd17f2c3381cdaaf3fe550fe39ec980dca21a7c9_s390x",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:7b7ddc4e33b4279dfbed5c7efd17f2c3381cdaaf3fe550fe39ec980dca21a7c9_s390x",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:7b7ddc4e33b4279dfbed5c7efd17f2c3381cdaaf3fe550fe39ec980dca21a7c9?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.6.4-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:b55d225acaa15e51df7b25453b4a28a6a38c3ab04226cbb848410c562133fb75_s390x",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:b55d225acaa15e51df7b25453b4a28a6a38c3ab04226cbb848410c562133fb75_s390x",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:b55d225acaa15e51df7b25453b4a28a6a38c3ab04226cbb848410c562133fb75_s390x",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:b55d225acaa15e51df7b25453b4a28a6a38c3ab04226cbb848410c562133fb75?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.6.4-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:6ee402228287e1bc1ba025ef897e064d228137bd92c4c8db25c15d829b95168e_s390x",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:6ee402228287e1bc1ba025ef897e064d228137bd92c4c8db25c15d829b95168e_s390x",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:6ee402228287e1bc1ba025ef897e064d228137bd92c4c8db25c15d829b95168e_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:6ee402228287e1bc1ba025ef897e064d228137bd92c4c8db25c15d829b95168e?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.6.4-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:6250feeab35e11cd0a2cc1446156d9c021d9dbd7f107212811e9648a84d97263_s390x",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:6250feeab35e11cd0a2cc1446156d9c021d9dbd7f107212811e9648a84d97263_s390x",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:6250feeab35e11cd0a2cc1446156d9c021d9dbd7f107212811e9648a84d97263_s390x",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:6250feeab35e11cd0a2cc1446156d9c021d9dbd7f107212811e9648a84d97263?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.6.4-3"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:2552a77174faf3983df086ce96257f4a650ba56cdb9565317c06bfe152389fdf_amd64",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:2552a77174faf3983df086ce96257f4a650ba56cdb9565317c06bfe152389fdf_amd64",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:2552a77174faf3983df086ce96257f4a650ba56cdb9565317c06bfe152389fdf_amd64",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:2552a77174faf3983df086ce96257f4a650ba56cdb9565317c06bfe152389fdf?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.6.4-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:d78332d3ad329d088270d518819bcb1c94bb770b0ab0b03625a637ab70ab2ec5_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:d78332d3ad329d088270d518819bcb1c94bb770b0ab0b03625a637ab70ab2ec5_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:d78332d3ad329d088270d518819bcb1c94bb770b0ab0b03625a637ab70ab2ec5_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:d78332d3ad329d088270d518819bcb1c94bb770b0ab0b03625a637ab70ab2ec5?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.6.4-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:9cfd7fe91d7dcbd1665716b68f4aeb69a65c7010a25131a4dbc95638ed8d16d8_amd64",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:9cfd7fe91d7dcbd1665716b68f4aeb69a65c7010a25131a4dbc95638ed8d16d8_amd64",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:9cfd7fe91d7dcbd1665716b68f4aeb69a65c7010a25131a4dbc95638ed8d16d8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:9cfd7fe91d7dcbd1665716b68f4aeb69a65c7010a25131a4dbc95638ed8d16d8?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.6.4-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:b721c2ffbea8066a6f3024486c80b443d2d3db5118b97942560a74b6e1db1915_amd64",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:b721c2ffbea8066a6f3024486c80b443d2d3db5118b97942560a74b6e1db1915_amd64",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:b721c2ffbea8066a6f3024486c80b443d2d3db5118b97942560a74b6e1db1915_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:b721c2ffbea8066a6f3024486c80b443d2d3db5118b97942560a74b6e1db1915?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.6.4-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:72d865d9e7e63f185cda94cb0287312688fc25d33fe9717021e864dd0c73532f_amd64",
"product": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:72d865d9e7e63f185cda94cb0287312688fc25d33fe9717021e864dd0c73532f_amd64",
"product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:72d865d9e7e63f185cda94cb0287312688fc25d33fe9717021e864dd0c73532f_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-operator-bundle@sha256:72d865d9e7e63f185cda94cb0287312688fc25d33fe9717021e864dd0c73532f?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.6.4-3"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:25f0f6d5a1d9f7ecc6cc0e15f4e5b8139ffd27e316e0d0c94e4ac106be12df24_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:25f0f6d5a1d9f7ecc6cc0e15f4e5b8139ffd27e316e0d0c94e4ac106be12df24_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:25f0f6d5a1d9f7ecc6cc0e15f4e5b8139ffd27e316e0d0c94e4ac106be12df24_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:25f0f6d5a1d9f7ecc6cc0e15f4e5b8139ffd27e316e0d0c94e4ac106be12df24?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.6.4-3"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:2552a77174faf3983df086ce96257f4a650ba56cdb9565317c06bfe152389fdf_amd64 as a component of Red Hat OpenShift GitOps 1.6",
"product_id": "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:2552a77174faf3983df086ce96257f4a650ba56cdb9565317c06bfe152389fdf_amd64"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:2552a77174faf3983df086ce96257f4a650ba56cdb9565317c06bfe152389fdf_amd64",
"relates_to_product_reference": "8Base-GitOps-1.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:a0b0614edfeb29f866cf0939f907a0dc65319b35222d5b020bcdce6ce0d507ee_s390x as a component of Red Hat OpenShift GitOps 1.6",
"product_id": "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:a0b0614edfeb29f866cf0939f907a0dc65319b35222d5b020bcdce6ce0d507ee_s390x"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:a0b0614edfeb29f866cf0939f907a0dc65319b35222d5b020bcdce6ce0d507ee_s390x",
"relates_to_product_reference": "8Base-GitOps-1.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:c93f9f51ae0dbd0d09332acb52efd6d0663b28760c3f4002a895f183b0b108cd_ppc64le as a component of Red Hat OpenShift GitOps 1.6",
"product_id": "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:c93f9f51ae0dbd0d09332acb52efd6d0663b28760c3f4002a895f183b0b108cd_ppc64le"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:c93f9f51ae0dbd0d09332acb52efd6d0663b28760c3f4002a895f183b0b108cd_ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:16ab1b532a1b16e3de8cb5d4951444b1ab4c02b357c3f1e29ee81ba283e5e929_ppc64le as a component of Red Hat OpenShift GitOps 1.6",
"product_id": "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:16ab1b532a1b16e3de8cb5d4951444b1ab4c02b357c3f1e29ee81ba283e5e929_ppc64le"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:16ab1b532a1b16e3de8cb5d4951444b1ab4c02b357c3f1e29ee81ba283e5e929_ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:9cfd7fe91d7dcbd1665716b68f4aeb69a65c7010a25131a4dbc95638ed8d16d8_amd64 as a component of Red Hat OpenShift GitOps 1.6",
"product_id": "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:9cfd7fe91d7dcbd1665716b68f4aeb69a65c7010a25131a4dbc95638ed8d16d8_amd64"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:9cfd7fe91d7dcbd1665716b68f4aeb69a65c7010a25131a4dbc95638ed8d16d8_amd64",
"relates_to_product_reference": "8Base-GitOps-1.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:b55d225acaa15e51df7b25453b4a28a6a38c3ab04226cbb848410c562133fb75_s390x as a component of Red Hat OpenShift GitOps 1.6",
"product_id": "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:b55d225acaa15e51df7b25453b4a28a6a38c3ab04226cbb848410c562133fb75_s390x"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:b55d225acaa15e51df7b25453b4a28a6a38c3ab04226cbb848410c562133fb75_s390x",
"relates_to_product_reference": "8Base-GitOps-1.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:72d865d9e7e63f185cda94cb0287312688fc25d33fe9717021e864dd0c73532f_amd64 as a component of Red Hat OpenShift GitOps 1.6",
"product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-operator-bundle@sha256:72d865d9e7e63f185cda94cb0287312688fc25d33fe9717021e864dd0c73532f_amd64"
},
"product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:72d865d9e7e63f185cda94cb0287312688fc25d33fe9717021e864dd0c73532f_amd64",
"relates_to_product_reference": "8Base-GitOps-1.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:25f0f6d5a1d9f7ecc6cc0e15f4e5b8139ffd27e316e0d0c94e4ac106be12df24_amd64 as a component of Red Hat OpenShift GitOps 1.6",
"product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:25f0f6d5a1d9f7ecc6cc0e15f4e5b8139ffd27e316e0d0c94e4ac106be12df24_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:25f0f6d5a1d9f7ecc6cc0e15f4e5b8139ffd27e316e0d0c94e4ac106be12df24_amd64",
"relates_to_product_reference": "8Base-GitOps-1.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:2ff93a530f9d58f0eec72d5dc229f70f830a2b52ee6ec0df25169cd2f94a4ae3_ppc64le as a component of Red Hat OpenShift GitOps 1.6",
"product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:2ff93a530f9d58f0eec72d5dc229f70f830a2b52ee6ec0df25169cd2f94a4ae3_ppc64le"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:2ff93a530f9d58f0eec72d5dc229f70f830a2b52ee6ec0df25169cd2f94a4ae3_ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:6250feeab35e11cd0a2cc1446156d9c021d9dbd7f107212811e9648a84d97263_s390x as a component of Red Hat OpenShift GitOps 1.6",
"product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:6250feeab35e11cd0a2cc1446156d9c021d9dbd7f107212811e9648a84d97263_s390x"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:6250feeab35e11cd0a2cc1446156d9c021d9dbd7f107212811e9648a84d97263_s390x",
"relates_to_product_reference": "8Base-GitOps-1.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:670fc4b628570d01de9c129d3ad8baa57f00501074b0c3ce6781a8665d2e8f97_ppc64le as a component of Red Hat OpenShift GitOps 1.6",
"product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:670fc4b628570d01de9c129d3ad8baa57f00501074b0c3ce6781a8665d2e8f97_ppc64le"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:670fc4b628570d01de9c129d3ad8baa57f00501074b0c3ce6781a8665d2e8f97_ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:7b7ddc4e33b4279dfbed5c7efd17f2c3381cdaaf3fe550fe39ec980dca21a7c9_s390x as a component of Red Hat OpenShift GitOps 1.6",
"product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:7b7ddc4e33b4279dfbed5c7efd17f2c3381cdaaf3fe550fe39ec980dca21a7c9_s390x"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:7b7ddc4e33b4279dfbed5c7efd17f2c3381cdaaf3fe550fe39ec980dca21a7c9_s390x",
"relates_to_product_reference": "8Base-GitOps-1.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:d78332d3ad329d088270d518819bcb1c94bb770b0ab0b03625a637ab70ab2ec5_amd64 as a component of Red Hat OpenShift GitOps 1.6",
"product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:d78332d3ad329d088270d518819bcb1c94bb770b0ab0b03625a637ab70ab2ec5_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:d78332d3ad329d088270d518819bcb1c94bb770b0ab0b03625a637ab70ab2ec5_amd64",
"relates_to_product_reference": "8Base-GitOps-1.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:6ee402228287e1bc1ba025ef897e064d228137bd92c4c8db25c15d829b95168e_s390x as a component of Red Hat OpenShift GitOps 1.6",
"product_id": "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:6ee402228287e1bc1ba025ef897e064d228137bd92c4c8db25c15d829b95168e_s390x"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:6ee402228287e1bc1ba025ef897e064d228137bd92c4c8db25c15d829b95168e_s390x",
"relates_to_product_reference": "8Base-GitOps-1.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:71314cc8315eccd746b0527442c7307b9758e90ac3ab2c1026df33b35a46d308_ppc64le as a component of Red Hat OpenShift GitOps 1.6",
"product_id": "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:71314cc8315eccd746b0527442c7307b9758e90ac3ab2c1026df33b35a46d308_ppc64le"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:71314cc8315eccd746b0527442c7307b9758e90ac3ab2c1026df33b35a46d308_ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:b721c2ffbea8066a6f3024486c80b443d2d3db5118b97942560a74b6e1db1915_amd64 as a component of Red Hat OpenShift GitOps 1.6",
"product_id": "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:b721c2ffbea8066a6f3024486c80b443d2d3db5118b97942560a74b6e1db1915_amd64"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:b721c2ffbea8066a6f3024486c80b443d2d3db5118b97942560a74b6e1db1915_amd64",
"relates_to_product_reference": "8Base-GitOps-1.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-22482",
"discovery_date": "2023-01-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:16ab1b532a1b16e3de8cb5d4951444b1ab4c02b357c3f1e29ee81ba283e5e929_ppc64le",
"8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:9cfd7fe91d7dcbd1665716b68f4aeb69a65c7010a25131a4dbc95638ed8d16d8_amd64",
"8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:b55d225acaa15e51df7b25453b4a28a6a38c3ab04226cbb848410c562133fb75_s390x",
"8Base-GitOps-1.6:openshift-gitops-1/gitops-operator-bundle@sha256:72d865d9e7e63f185cda94cb0287312688fc25d33fe9717021e864dd0c73532f_amd64",
"8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:25f0f6d5a1d9f7ecc6cc0e15f4e5b8139ffd27e316e0d0c94e4ac106be12df24_amd64",
"8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:2ff93a530f9d58f0eec72d5dc229f70f830a2b52ee6ec0df25169cd2f94a4ae3_ppc64le",
"8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:6250feeab35e11cd0a2cc1446156d9c021d9dbd7f107212811e9648a84d97263_s390x",
"8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:670fc4b628570d01de9c129d3ad8baa57f00501074b0c3ce6781a8665d2e8f97_ppc64le",
"8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:7b7ddc4e33b4279dfbed5c7efd17f2c3381cdaaf3fe550fe39ec980dca21a7c9_s390x",
"8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:d78332d3ad329d088270d518819bcb1c94bb770b0ab0b03625a637ab70ab2ec5_amd64",
"8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:6ee402228287e1bc1ba025ef897e064d228137bd92c4c8db25c15d829b95168e_s390x",
"8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:71314cc8315eccd746b0527442c7307b9758e90ac3ab2c1026df33b35a46d308_ppc64le",
"8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:b721c2ffbea8066a6f3024486c80b443d2d3db5118b97942560a74b6e1db1915_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160492"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ArgoCD. GitOps is vulnerable to an improper authorization bug where the API may accept invalid tokens. ID providers include an audience claim in signed tokens, which may be used to restrict which services can accept the token. ArgoCD doesn\u0027t properly validate the audience claim in such scenarios; if the ID provider used with ArgoCD is also being used with other audiences, it will accept tokens that may not be intended to access the ArgoCD cluster.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ArgoCD: JWT audience claim is not verified",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:2552a77174faf3983df086ce96257f4a650ba56cdb9565317c06bfe152389fdf_amd64",
"8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:a0b0614edfeb29f866cf0939f907a0dc65319b35222d5b020bcdce6ce0d507ee_s390x",
"8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:c93f9f51ae0dbd0d09332acb52efd6d0663b28760c3f4002a895f183b0b108cd_ppc64le"
],
"known_not_affected": [
"8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:16ab1b532a1b16e3de8cb5d4951444b1ab4c02b357c3f1e29ee81ba283e5e929_ppc64le",
"8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:9cfd7fe91d7dcbd1665716b68f4aeb69a65c7010a25131a4dbc95638ed8d16d8_amd64",
"8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:b55d225acaa15e51df7b25453b4a28a6a38c3ab04226cbb848410c562133fb75_s390x",
"8Base-GitOps-1.6:openshift-gitops-1/gitops-operator-bundle@sha256:72d865d9e7e63f185cda94cb0287312688fc25d33fe9717021e864dd0c73532f_amd64",
"8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:25f0f6d5a1d9f7ecc6cc0e15f4e5b8139ffd27e316e0d0c94e4ac106be12df24_amd64",
"8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:2ff93a530f9d58f0eec72d5dc229f70f830a2b52ee6ec0df25169cd2f94a4ae3_ppc64le",
"8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:6250feeab35e11cd0a2cc1446156d9c021d9dbd7f107212811e9648a84d97263_s390x",
"8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:670fc4b628570d01de9c129d3ad8baa57f00501074b0c3ce6781a8665d2e8f97_ppc64le",
"8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:7b7ddc4e33b4279dfbed5c7efd17f2c3381cdaaf3fe550fe39ec980dca21a7c9_s390x",
"8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:d78332d3ad329d088270d518819bcb1c94bb770b0ab0b03625a637ab70ab2ec5_amd64",
"8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:6ee402228287e1bc1ba025ef897e064d228137bd92c4c8db25c15d829b95168e_s390x",
"8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:71314cc8315eccd746b0527442c7307b9758e90ac3ab2c1026df33b35a46d308_ppc64le",
"8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:b721c2ffbea8066a6f3024486c80b443d2d3db5118b97942560a74b6e1db1915_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-22482"
},
{
"category": "external",
"summary": "RHBZ#2160492",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160492"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-22482",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22482"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-22482",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22482"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc"
}
],
"release_date": "2023-01-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:2552a77174faf3983df086ce96257f4a650ba56cdb9565317c06bfe152389fdf_amd64",
"8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:a0b0614edfeb29f866cf0939f907a0dc65319b35222d5b020bcdce6ce0d507ee_s390x",
"8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:c93f9f51ae0dbd0d09332acb52efd6d0663b28760c3f4002a895f183b0b108cd_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0466"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:2552a77174faf3983df086ce96257f4a650ba56cdb9565317c06bfe152389fdf_amd64",
"8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:a0b0614edfeb29f866cf0939f907a0dc65319b35222d5b020bcdce6ce0d507ee_s390x",
"8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:c93f9f51ae0dbd0d09332acb52efd6d0663b28760c3f4002a895f183b0b108cd_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ArgoCD: JWT audience claim is not verified"
}
]
}
rhsa-2023_0467
Vulnerability from csaf_redhat
Published
2023-01-25 20:31
Modified
2024-09-16 10:08
Summary
Red Hat Security Advisory: Red Hat OpenShift GitOps security update
Notes
Topic
An update is now available for Red Hat OpenShift GitOps 1.7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.
Security Fix(es):
* ArgoCD: JWT audience claim is not verified (CVE-2023-22482)
* ArgoCD: authorization bypass (CVE-2023-22736)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat OpenShift GitOps 1.7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.\n\nSecurity Fix(es):\n\n* ArgoCD: JWT audience claim is not verified (CVE-2023-22482)\n\n* ArgoCD: authorization bypass (CVE-2023-22736)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0467",
"url": "https://access.redhat.com/errata/RHSA-2023:0467"
},
{
"category": "external",
"summary": "https://docs.openshift.com/container-platform/latest/cicd/gitops/understanding-openshift-gitops.html",
"url": "https://docs.openshift.com/container-platform/latest/cicd/gitops/understanding-openshift-gitops.html"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2160492",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160492"
},
{
"category": "external",
"summary": "2162517",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162517"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_0467.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update",
"tracking": {
"current_release_date": "2024-09-16T10:08:19+00:00",
"generator": {
"date": "2024-09-16T10:08:19+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHSA-2023:0467",
"initial_release_date": "2023-01-25T20:31:53+00:00",
"revision_history": [
{
"date": "2023-01-25T20:31:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-25T20:31:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-16T10:08:19+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift GitOps 1.7",
"product": {
"name": "Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_gitops:1.7::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift GitOps"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64",
"product": {
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64",
"product_id": "openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64",
"product_identification_helper": {
"purl": "pkg:oci/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/console-plugin-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64",
"product": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64",
"product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.7.1-2"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le",
"product": {
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le",
"product_id": "openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/console-plugin-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.7.1-2"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x",
"product": {
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x",
"product_id": "openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x",
"product_identification_helper": {
"purl": "pkg:oci/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/console-plugin-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.7.1-2"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64 as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64 as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64"
},
"product_reference": "openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x"
},
"product_reference": "openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le"
},
"product_reference": "openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64 as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64 as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64"
},
"product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64 as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64 as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64 as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-22482",
"discovery_date": "2023-01-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160492"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ArgoCD. GitOps is vulnerable to an improper authorization bug where the API may accept invalid tokens. ID providers include an audience claim in signed tokens, which may be used to restrict which services can accept the token. ArgoCD doesn\u0027t properly validate the audience claim in such scenarios; if the ID provider used with ArgoCD is also being used with other audiences, it will accept tokens that may not be intended to access the ArgoCD cluster.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ArgoCD: JWT audience claim is not verified",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x"
],
"known_not_affected": [
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-22482"
},
{
"category": "external",
"summary": "RHBZ#2160492",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160492"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-22482",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22482"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-22482",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22482"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc"
}
],
"release_date": "2023-01-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0467"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ArgoCD: JWT audience claim is not verified"
},
{
"cve": "CVE-2023-22736",
"discovery_date": "2023-01-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2162517"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Red Hat GitOps, which is vulnerable to an authorization bypass in ArgoCD. This flaw allows users to deploy applications outside the allowed namespaces. The issue happens due to a logic error when interpreting the comma-separated namespaces list. To complete the attack, the attacker must have enough privileges to update deployed applications.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: Controller reconciles apps outside configured namespaces when sharding is enabled",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue only affects Red Hat GitOps version 1.7, as the vulnerability was introduced in ArgoCD-2.5.\nThis vulnerability affects only deployments with \"apps-in-any-namespace\" feature by setting application.namespaces in the argocd-cmd-params-cm ConfigMap or otherwise setting the --application-namespaces flags on the Application controller and API server components.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x"
],
"known_not_affected": [
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-22736"
},
{
"category": "external",
"summary": "RHBZ#2162517",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162517"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-22736",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22736"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-22736",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22736"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw"
}
],
"release_date": "2023-01-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0467"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "argocd: Controller reconciles apps outside configured namespaces when sharding is enabled"
}
]
}
gsd-2023-22482
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD's configured OIDC provider. But Argo CD _does not_ validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD's configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token's `groups` claim, even though those groups were not intended to be used by Argo CD. This bug also increases the impact of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD. A patch for this vulnerability has been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13. There are no workarounds.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-22482",
"id": "GSD-2023-22482",
"references": [
"https://access.redhat.com/errata/RHSA-2023:0466",
"https://access.redhat.com/errata/RHSA-2023:0467",
"https://access.redhat.com/errata/RHSA-2023:0468"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-22482"
],
"details": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD\u0027s configured OIDC provider. But Argo CD _does not_ validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD\u0027s configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token\u0027s `groups` claim, even though those groups were not intended to be used by Argo CD. This bug also increases the impact of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD. A patch for this vulnerability has been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13. There are no workarounds.",
"id": "GSD-2023-22482",
"modified": "2023-12-13T01:20:43.288594Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-22482",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "argo-cd",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003e= 1.8.2, \u003c 2.3.13"
},
{
"version_affected": "=",
"version_value": "\u003e= 2.4.0-rc1, \u003c 2.4.19"
},
{
"version_affected": "=",
"version_value": "\u003e= 2.5.0-rc1, \u003c 2.5.6"
},
{
"version_affected": "=",
"version_value": "\u003e= 2.6.0-rc1, \u003c 2.6.0-rc3"
}
]
}
}
]
},
"vendor_name": "argoproj"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD\u0027s configured OIDC provider. But Argo CD _does not_ validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD\u0027s configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token\u0027s `groups` claim, even though those groups were not intended to be used by Argo CD. This bug also increases the impact of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD. A patch for this vulnerability has been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13. There are no workarounds."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-863",
"lang": "eng",
"value": "CWE-863: Incorrect Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc",
"refsource": "MISC",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc"
}
]
},
"source": {
"advisory": "GHSA-q9hr-j4rf-8fjc",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=v1.8.2 \u003cv2.3.14 || \u003e=v2.4.0 \u003cv2.4.20 || \u003e=v2.5.0 \u003cv2.5.8 || \u003e=v2.6.0-rc1 \u003cv2.6.0-rc5",
"affected_versions": "All versions starting from 1.8.2 before 2.3.14, all versions starting from 2.4.0 before 2.4.20, all versions starting from 2.5.0 before 2.5.8, all versions starting from 2.6.0-rc1 before 2.6.0-rc5",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2023-01-25",
"description": "All versions of Argo CD starting with v1.8.2 is vulnerable to an improper authorization bug causing the API to accept certain invalid tokens.\n\nOIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token).",
"fixed_versions": [
"v2.3.14",
"v2.4.20",
"v2.5.8",
"v2.6.0-rc5"
],
"identifier": "GMS-2023-136",
"identifiers": [
"GHSA-q9hr-j4rf-8fjc",
"GMS-2023-136",
"CVE-2023-22482"
],
"not_impacted": "All versions before 1.8.2, all versions starting from 2.3.14 before 2.4.0, all versions starting from 2.4.20 before 2.5.0, all versions starting from 2.5.8 before 2.6.0-rc1, all versions starting from 2.6.0-rc5",
"package_slug": "go/github.com/argoproj/argo-cd",
"pubdate": "2023-01-25",
"solution": "Upgrade to versions 2.3.14, 2.4.20, 2.5.8, 2.6.0-rc5 or above. *Note*: 2.6.0-rc5 may be an unstable version. Use caution.",
"title": "JWT audience claim is not verified",
"urls": [
"https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc",
"https://github.com/advisories/GHSA-q9hr-j4rf-8fjc"
],
"uuid": "170e291d-e1ee-4b22-8bab-841bba170a19",
"versions": [
{
"commit": {
"sha": "94017f2c8d97588d4aa2213713a71d51005ed62d",
"tags": [
"v1.8.2"
],
"timestamp": "20210110053048"
},
"number": "v1.8.2"
},
{
"commit": {
"sha": "91aefabc5b213a258ddcfe04b8e69bb4a2dd2566",
"tags": [
"v2.4.0"
],
"timestamp": "20220610171343"
},
"number": "v2.4.0"
},
{
"commit": {
"sha": "b895da457791d56f01522796a8c3cd0f583d5d91",
"tags": [
"v2.5.0"
],
"timestamp": "20221025142302"
},
"number": "v2.5.0"
},
{
"commit": {
"sha": "81e40d53fe8eee50b00ab38c4b07b34b3dcd6d25",
"tags": [
"v2.6.0-rc1"
],
"timestamp": "20221219163627"
},
"number": "v2.6.0-rc1"
},
{
"commit": {
"sha": "181008e31066ea7cf2c8f6b0320ed8abfeb7426f",
"tags": [
"v2.3.14"
],
"timestamp": "20230125152227"
},
"number": "v2.3.14"
},
{
"commit": {
"sha": "68f58c956a1580fae5201d985af744359bf63f6c",
"tags": [
"v2.4.20"
],
"timestamp": "20230125152844"
},
"number": "v2.4.20"
},
{
"commit": {
"sha": "bbe870ff5904dd1cebeba6c5dcb7129ce7c2b5e2",
"tags": [
"stable",
"v2.5.8"
],
"timestamp": "20230125160115"
},
"number": "v2.5.8"
},
{
"commit": {
"sha": "e790028e5cf99d65d6896830fc4ca757c91ce0d5",
"tags": [
"v2.6.0-rc5"
],
"timestamp": "20230125174545"
},
"number": "v2.6.0-rc5"
}
]
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:2.6.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:2.6.0:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:2.6.0:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:2.6.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.5.8",
"versionStartIncluding": "2.5.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.4.20",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.3.14",
"versionStartIncluding": "1.8.2",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-22482"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions of Argo CD starting with v1.8.2 and prior to 2.3.13, 2.4.19, 2.5.6, and 2.6.0-rc-3 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens. OIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD\u0027s configured OIDC provider. But Argo CD _does not_ validate the audience claim, so it will accept tokens that are not intended for Argo CD. If Argo CD\u0027s configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token\u0027s `groups` claim, even though those groups were not intended to be used by Argo CD. This bug also increases the impact of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD. A patch for this vulnerability has been released in versions 2.6.0-rc3, 2.5.6, 2.4.19, and 2.3.13. There are no workarounds."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-02-23T19:24Z",
"publishedDate": "2023-01-26T21:18Z"
}
}
}
wid-sec-w-2023-0201
Vulnerability from csaf_certbund
Published
2023-01-25 23:00
Modified
2023-01-25 23:00
Summary
Red Hat OpenShift: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Red Hat OpenShift ist eine "Platform as a Service" (PaaS) Lösung zur Bereitstellung von Applikationen in der Cloud.
Angriff
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Red Hat OpenShift ausnutzen, um Sicherheitsvorkehrungen zu umgehen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat OpenShift ist eine \"Platform as a Service\" (PaaS) L\u00f6sung zur Bereitstellung von Applikationen in der Cloud.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Red Hat OpenShift ausnutzen, um Sicherheitsvorkehrungen zu umgehen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-0201 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0201.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-0201 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0201"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0468 vom 2023-01-25",
"url": "https://access.redhat.com/errata/RHSA-2023:0468"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0467 vom 2023-01-25",
"url": "https://access.redhat.com/errata/RHSA-2023:0467"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0466 vom 2023-01-25",
"url": "https://access.redhat.com/errata/RHSA-2023:0466"
}
],
"source_lang": "en-US",
"title": "Red Hat OpenShift: Mehrere Schwachstellen erm\u00f6glichen Umgehen von Sicherheitsvorkehrungen",
"tracking": {
"current_release_date": "2023-01-25T23:00:00.000+00:00",
"generator": {
"date": "2024-02-15T17:11:43.576+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.0"
}
},
"id": "WID-SEC-W-2023-0201",
"initial_release_date": "2023-01-25T23:00:00.000+00:00",
"revision_history": [
{
"date": "2023-01-25T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift \u003c GitOps 1.5.9",
"product": {
"name": "Red Hat OpenShift \u003c GitOps 1.5.9",
"product_id": "T026033",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:gitops_1.5.9"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift \u003c GitOps 1.6.4",
"product": {
"name": "Red Hat OpenShift \u003c GitOps 1.6.4",
"product_id": "T026034",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:gitops_1.6.4"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift \u003c GitOps 1.7",
"product": {
"name": "Red Hat OpenShift \u003c GitOps 1.7",
"product_id": "T026035",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:gitops_1.7"
}
}
}
],
"category": "product_name",
"name": "OpenShift"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-22736",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in Red Hat OpenShift GitOps. Es besteht ein Fehler in einer API der Komponente \"ArgoCD\", welche eine Umgehung der Authentisierung erm\u00f6glicht. Dabei ist es m\u00f6glich Applikationen au\u00dferhalb von angegeben Bereichen zu starten. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsvorkehrungen zu umgehen."
}
],
"release_date": "2023-01-25T23:00:00Z",
"title": "CVE-2023-22736"
},
{
"cve": "CVE-2023-22482",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in Red Hat OpenShift GitOps. Diese ist auf einen Fehler bei der Authentisierung in der Komponente \"ArgoCD\" zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsvorkehrungen zu umgehen."
}
],
"release_date": "2023-01-25T23:00:00Z",
"title": "CVE-2023-22482"
}
]
}
ghsa-q9hr-j4rf-8fjc
Vulnerability from github
Published
2023-01-25 22:02
Modified
2023-02-07 21:21
Severity
Summary
JWT audience claim is not verified
Details
Impact
All versions of Argo CD starting with v1.8.2 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens.
OIDC providers include an aud (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD does validate that the token was signed by Argo CD's configured OIDC provider. But Argo CD does not validate the audience claim, so it will accept tokens that are not intended for Argo CD.
If Argo CD's configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token's groups claim, even though those groups were not intended to be used by Argo CD.
This bug also increases the blast radius of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD.
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
- v2.6.0-rc5
- v2.5.8
- v2.4.20
- v2.3.14
The patch introduces a new allowedAudiences to the OIDC config block. By default, the client ID is the only allowed audience. Users who want Argo CD to accept tokens intended for a different audience may use allowedAudiences to specify those audiences.
`yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
data:
oidc.config: |
name: Example
allowedAudiences:
- audience-1
- audience-2
- argocd-client-id # If `allowedAudiences` is non-empty, Argo CD's client ID must be explicitly added if you want to allow it.
Even though the OIDC spec requires the audience claim, some tokens may not include it. To avoid a breaking change in a patch release, versions < 2.6.0 of Argo CD will skip the audience claim check for tokens that have no audience. In versions >= 2.6.0, Argo CD will reject all tokens which do not have an audience claim. Users can opt into the old behavior by setting an option:
yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: argocd-cm
data:
oidc.config: |
name: Example
skipAudienceCheckWhenTokenHasNoAudience: true
Workarounds
There is no workaround besides upgrading.
Credits
The Argo CD team would like to express their gratitude to Vladimir Pouzanov (@farcaller) from Indeed, who discovered the issue, reported it confidentially according to our guidelines, and actively worked with the project to provide a remedy. Many thanks to Vladimir!
References
- How to configure OIDC in Argo CD
- OIDC spec section discussing the audience claim
- JWT spec section discussing the audience claim
For more information
- Open an issue in the Argo CD issue tracker or discussions
- Join us on Slack in channel #argo-cd
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd"
},
"ranges": [
{
"events": [
{
"introduced": "1.8.2"
},
{
"fixed": "2.3.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0-rc1"
},
{
"fixed": "2.6.0-rc5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-22482"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-25T22:02:52Z",
"nvd_published_at": "2023-01-26T21:18:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\n\nAll versions of Argo CD starting with v1.8.2 are vulnerable to an improper authorization bug causing the API to accept certain invalid tokens.\n\nOIDC providers include an `aud` (audience) claim in signed tokens. The value of that claim specifies the intended audience(s) of the token (i.e. the service or services which are meant to accept the token). Argo CD _does_ validate that the token was signed by Argo CD\u0027s configured OIDC provider. But Argo CD _does not_ validate the audience claim, so it will accept tokens that are not intended for Argo CD.\n\nIf Argo CD\u0027s configured OIDC provider also serves other audiences (for example, a file storage service), then Argo CD will accept a token intended for one of those other audiences. Argo CD will grant the user privileges based on the token\u0027s `groups` claim, even though those groups were not intended to be used by Argo CD.\n\nThis bug also increases the blast radius of a stolen token. If an attacker steals a valid token for a different audience, they can use it to access Argo CD.\n\n### Patches\n\nA patch for this vulnerability has been released in the following Argo CD versions:\n\n* v2.6.0-rc5\n* v2.5.8\n* v2.4.20\n* v2.3.14\n\nThe patch introduces a new `allowedAudiences` to the OIDC config block. By default, the client ID is the only allowed audience. Users who _want_ Argo CD to accept tokens intended for a different audience may use `allowedAudiences` to specify those audiences.\n\n```yaml\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: argocd-cm\ndata:\n oidc.config: |\n name: Example\n allowedAudiences:\n - audience-1\n - audience-2\n - argocd-client-id # If `allowedAudiences` is non-empty, Argo CD\u0027s client ID must be explicitly added if you want to allow it.\n``\n\nEven though [the OIDC spec requires the audience claim](https://openid.net/specs/openid-connect-core-1_0.html#IDToken), some tokens may not include it. To avoid a breaking change in a patch release, versions \u003c 2.6.0 of Argo CD will skip the audience claim check for tokens that have no audience. In versions \u003e= 2.6.0, Argo CD will reject all tokens which do not have an audience claim. Users can opt into the old behavior by setting an option:\n\n```yaml\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: argocd-cm\ndata:\n oidc.config: |\n name: Example\n skipAudienceCheckWhenTokenHasNoAudience: true\n```\n\n### Workarounds\n\nThere is no workaround besides upgrading.\n\n### Credits \n\nThe Argo CD team would like to express their gratitude to Vladimir Pouzanov (@farcaller) from Indeed, who discovered the issue, reported it confidentially according to our [guidelines](https://github.com/argoproj/argo-cd/blob/master/SECURITY.md#reporting-a-vulnerability), and actively worked with the project to provide a remedy. Many thanks to Vladimir!\n\n### References\n\n* [How to configure OIDC in Argo CD](https://argo-cd.readthedocs.io/en/latest/operator-manual/user-management/#existing-oidc-provider)\n* [OIDC spec section discussing the audience claim](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)\n* [JWT spec section discussing the audience claim](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.3)\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n",
"id": "GHSA-q9hr-j4rf-8fjc",
"modified": "2023-02-07T21:21:41Z",
"published": "2023-01-25T22:02:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22482"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj/argo-cd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "JWT audience claim is not verified"
}
Loading...