Action not permitted
Modal body text goes here.
cve-2023-22736
Vulnerability from cvelistv5
Published
2023-01-26 03:35
Modified
2024-08-02 10:13
Severity
Summary
argo-cd Controller reconciles apps outside configured namespaces when sharding is enabled
References
| Source | URL | Tags |
|---|---|---|
| security-advisories@github.com | https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw | Third Party Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:13:50.215Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "argo-cd",
"vendor": "argoproj",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.5.0=rc1, \u003c 2.5.8"
},
{
"status": "affected",
"version": "= 2.6.0-rc4, \u003c 2.6.0-rc5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces. Reconciled Application namespaces are specified as a comma-delimited list of glob patterns. When sharding is enabled on the Application controller, it does not enforce that list of patterns when reconciling Applications. For example, if Application namespaces are configured to be argocd-*, the Application controller may reconcile an Application installed in a namespace called other, even though it does not start with argocd-. Reconciliation of the out-of-bounds Application is only triggered when the Application is updated, so the attacker must be able to cause an update operation on the Application resource. This bug only applies to users who have explicitly enabled the \"apps-in-any-namespace\" feature by setting `application.namespaces` in the argocd-cmd-params-cm ConfigMap or otherwise setting the `--application-namespaces` flags on the Application controller and API server components. The apps-in-any-namespace feature is in beta as of this Security Advisory\u0027s publish date. The bug is also limited to Argo CD instances where sharding is enabled by increasing the `replicas` count for the Application controller. Finally, the AppProjects\u0027 `sourceNamespaces` field acts as a secondary check against this exploit. To cause reconciliation of an Application in an out-of-bounds namespace, an AppProject must be available which permits Applications in the out-of-bounds namespace. A patch for this vulnerability has been released in versions 2.5.8 and 2.6.0-rc5. As a workaround, running only one replica of the Application controller will prevent exploitation of this bug. Making sure all AppProjects\u0027 sourceNamespaces are restricted within the confines of the configured Application namespaces will also prevent exploitation of this bug."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-26T03:35:27.309Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw"
}
],
"source": {
"advisory": "GHSA-6p4m-hw2h-6gmw",
"discovery": "UNKNOWN"
},
"title": "argo-cd Controller reconciles apps outside configured namespaces when sharding is enabled"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-22736",
"datePublished": "2023-01-26T03:35:27.309Z",
"dateReserved": "2023-01-06T14:21:05.892Z",
"dateUpdated": "2024-08-02T10:13:50.215Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-22736\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-01-26T21:18:13.110\",\"lastModified\":\"2024-08-07T15:43:51.540\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces. Reconciled Application namespaces are specified as a comma-delimited list of glob patterns. When sharding is enabled on the Application controller, it does not enforce that list of patterns when reconciling Applications. For example, if Application namespaces are configured to be argocd-*, the Application controller may reconcile an Application installed in a namespace called other, even though it does not start with argocd-. Reconciliation of the out-of-bounds Application is only triggered when the Application is updated, so the attacker must be able to cause an update operation on the Application resource. This bug only applies to users who have explicitly enabled the \\\"apps-in-any-namespace\\\" feature by setting `application.namespaces` in the argocd-cmd-params-cm ConfigMap or otherwise setting the `--application-namespaces` flags on the Application controller and API server components. The apps-in-any-namespace feature is in beta as of this Security Advisory\u0027s publish date. The bug is also limited to Argo CD instances where sharding is enabled by increasing the `replicas` count for the Application controller. Finally, the AppProjects\u0027 `sourceNamespaces` field acts as a secondary check against this exploit. To cause reconciliation of an Application in an out-of-bounds namespace, an AppProject must be available which permits Applications in the out-of-bounds namespace. A patch for this vulnerability has been released in versions 2.5.8 and 2.6.0-rc5. As a workaround, running only one replica of the Application controller will prevent exploitation of this bug. Making sure all AppProjects\u0027 sourceNamespaces are restricted within the confines of the configured Application namespaces will also prevent exploitation of this bug.\"},{\"lang\":\"es\",\"value\":\"Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. Las versiones que comienzan con 2.5.0-rc1 y superiores, anteriores a 2.5.8 y la versi\u00f3n 2.6.0-rc4, son vulnerables a un error de omisi\u00f3n de autorizaci\u00f3n que permite a un usuario malintencionado de Argo CD implementar aplicaciones fuera de los espacios de nombres permitidos configurados. Los espacios de nombres de aplicaciones reconciliados se especifican como una lista de patrones globales delimitados por comas. Cuando la fragmentaci\u00f3n est\u00e1 habilitada en el controlador de aplicaciones, no aplica esa lista de patrones al conciliar aplicaciones. Por ejemplo, si los espacios de nombres de las aplicaciones est\u00e1n configurados para ser argocd-*, el controlador de la aplicaci\u00f3n puede conciliar una aplicaci\u00f3n instalada en un espacio de nombres llamado other, aunque no comience con argocd-. La conciliaci\u00f3n de la aplicaci\u00f3n fuera de los l\u00edmites solo se activa cuando la aplicaci\u00f3n se actualiza, por lo que el atacante debe poder provocar una operaci\u00f3n de actualizaci\u00f3n en el recurso de la aplicaci\u00f3n. Este error solo se aplica a los usuarios que han habilitado expl\u00edcitamente la funci\u00f3n \\\"aplicaciones en cualquier espacio de nombres\\\" configurando `application.namespaces` en el ConfigMap argocd-cmd-params-cm o configurando de otro modo los indicadores `--application-namespaces` en los componentes del controlador de aplicaciones y del servidor API. La funci\u00f3n de aplicaciones en cualquier espacio de nombres se encuentra en versi\u00f3n beta a partir de la fecha de publicaci\u00f3n de este aviso de seguridad. El error tambi\u00e9n se limita a las instancias de Argo CD donde la fragmentaci\u00f3n se habilita aumentando el recuento de \\\"r\u00e9plicas\\\" para el controlador de la aplicaci\u00f3n. Finalmente, el campo `sourceNamespaces` de AppProjects act\u00faa como una verificaci\u00f3n secundaria contra este exploit. Para provocar la conciliaci\u00f3n de una aplicaci\u00f3n en un espacio de nombres fuera de los l\u00edmites, debe estar disponible un AppProject que permita aplicaciones en el espacio de nombres fuera de los l\u00edmites. Se lanz\u00f3 un parche para esta vulnerabilidad en las versiones 2.5.8 y 2.6.0-rc5. Como workaround, ejecutar solo una r\u00e9plica del controlador de la aplicaci\u00f3n evitar\u00e1 que se aproveche este error. Asegurarse de que todos los espacios de nombres de origen de AppProjects est\u00e9n restringidos dentro de los l\u00edmites de los espacios de nombres de aplicaciones configurados tambi\u00e9n evitar\u00e1 la explotaci\u00f3n de este error.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":6.0},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.5.0\",\"versionEndExcluding\":\"2.5.8\",\"matchCriteriaId\":\"7508D913-6A85-47EB-97D8-E31F35CC6188\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.6.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4E9E8774-D703-4CE5-8B90-EE3CD7A45005\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.6.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"EC71D67C-2326-401A-AB60-961A3C500FDC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.6.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F78053BA-9B03-4831-881A-8C71C8B583D8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.6.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"F5C06F6A-AB8A-4633-912E-B07046ECF5C8\"}]}]}],\"references\":[{\"url\":\"https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
ghsa-6p4m-hw2h-6gmw
Vulnerability from github
Published
2023-01-25 19:39
Modified
2023-01-25 19:39
Severity
Summary
Controller reconciles apps outside configured namespaces when sharding is enabled
Details
Impact
All Argo CD versions starting with 2.5.0-rc1 are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces.
Description of exploit
Reconciled Application namespaces are specified as a comma-delimited list of glob patterns. When sharding is enabled on the Application controller, it does not enforce that list of patterns when reconciling Applications. For example, if Application namespaces are configured to be argocd-*, the Application controller may reconcile an Application installed in a namespace called other, even though it does not start with argocd-.
Reconciliation of the out-of-bounds Application is only triggered when the Application is updated, so the attacker must be able to cause an update operation on the Application resource.
Limitations
This bug only applies to users who have explicitly enabled the "apps-in-any-namespace" feature by setting application.namespaces in the argocd-cmd-params-cm ConfigMap or otherwise setting the --application-namespaces flags on the Application controller and API server components. The apps-in-any-namespace feature is in beta as of this Security Advisory's publish date.
The bug is also limited to Argo CD instances where sharding is enabled by increasing the replicas count for the Application controller.
Finally, the AppProjects' sourceNamespaces field acts as a secondary check against this exploit. To cause reconciliation of an Application in an out-of-bounds namespace, an AppProject must be available which permits Applications in the out-of-bounds namespace.
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
- v2.5.8
- v2.6.0-rc5
Workarounds
Running only one replica of the Application controller will prevent exploitation of this bug.
Making sure all AppProjects' sourceNamespaces are restricted within the confines of the configured Application namespaces will also prevent exploitation of this bug.
Credits
Thanks to ChangZhuo Chen (@czchen) for finding the issue and for contributing the fix!
References
For more information
- Open an issue in the Argo CD issue tracker or discussions
- Join us on Slack in channel #argo-cd
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0-rc1"
},
{
"fixed": "2.5.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/argoproj/argo-cd"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0-rc4"
},
{
"fixed": "2.6.0-rc5"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.6.0-rc4"
]
}
],
"aliases": [
"CVE-2023-22736"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-25T19:39:03Z",
"nvd_published_at": "2023-01-26T21:18:00Z",
"severity": "HIGH"
},
"details": "### Impact\n\nAll Argo CD versions starting with 2.5.0-rc1 are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces. \n\n#### Description of exploit\n\nReconciled Application namespaces are specified as a comma-delimited list of glob patterns. When sharding is enabled on the Application controller, it does not enforce that list of patterns when reconciling Applications. For example, if Application namespaces are configured to be `argocd-*`, the Application controller may reconcile an Application installed in a namespace called `other`, even though it does not start with `argocd-`.\n\nReconciliation of the out-of-bounds Application is only triggered when the Application is updated, so the attacker must be able to cause an update operation on the Application resource.\n\n#### Limitations\n\nThis bug only applies to users who have explicitly enabled the \"apps-in-any-namespace\" feature by setting `application.namespaces` in the argocd-cmd-params-cm ConfigMap or otherwise setting the `--application-namespaces` flags on the Application controller and API server components. The apps-in-any-namespace feature is in beta as of this Security Advisory\u0027s publish date.\n\nThe bug is also limited to Argo CD instances where sharding is enabled by increasing the `replicas` count for the Application controller.\n\nFinally, the AppProjects\u0027 `sourceNamespaces` field acts as a secondary check against this exploit. To cause reconciliation of an Application in an out-of-bounds namespace, an AppProject must be available which permits Applications in the out-of-bounds namespace.\n\n### Patches\n\nA patch for this vulnerability has been released in the following Argo CD versions:\n\n* v2.5.8\n* v2.6.0-rc5\n\n### Workarounds\n\nRunning only one replica of the Application controller will prevent exploitation of this bug.\n\nMaking sure all AppProjects\u0027 `sourceNamespaces` are restricted within the confines of the configured Application namespaces will also prevent exploitation of this bug.\n\n### Credits\n\nThanks to ChangZhuo Chen (@czchen) for finding the issue and for contributing the fix!\n\n### References\n\n* [Documentation for apps-in-any-namespace](https://argo-cd--10678.org.readthedocs.build/en/10678/operator-manual/app-any-namespace/)\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n\n",
"id": "GHSA-6p4m-hw2h-6gmw",
"modified": "2023-01-25T19:39:03Z",
"published": "2023-01-25T19:39:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22736"
},
{
"type": "PACKAGE",
"url": "https://github.com/argoproj/argo-cd"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Controller reconciles apps outside configured namespaces when sharding is enabled"
}
gsd-2023-22736
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces. Reconciled Application namespaces are specified as a comma-delimited list of glob patterns. When sharding is enabled on the Application controller, it does not enforce that list of patterns when reconciling Applications. For example, if Application namespaces are configured to be argocd-*, the Application controller may reconcile an Application installed in a namespace called other, even though it does not start with argocd-. Reconciliation of the out-of-bounds Application is only triggered when the Application is updated, so the attacker must be able to cause an update operation on the Application resource. This bug only applies to users who have explicitly enabled the "apps-in-any-namespace" feature by setting `application.namespaces` in the argocd-cmd-params-cm ConfigMap or otherwise setting the `--application-namespaces` flags on the Application controller and API server components. The apps-in-any-namespace feature is in beta as of this Security Advisory's publish date. The bug is also limited to Argo CD instances where sharding is enabled by increasing the `replicas` count for the Application controller. Finally, the AppProjects' `sourceNamespaces` field acts as a secondary check against this exploit. To cause reconciliation of an Application in an out-of-bounds namespace, an AppProject must be available which permits Applications in the out-of-bounds namespace. A patch for this vulnerability has been released in versions 2.5.8 and 2.6.0-rc5. As a workaround, running only one replica of the Application controller will prevent exploitation of this bug. Making sure all AppProjects' sourceNamespaces are restricted within the confines of the configured Application namespaces will also prevent exploitation of this bug.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-22736",
"id": "GSD-2023-22736",
"references": [
"https://access.redhat.com/errata/RHSA-2023:0467"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-22736"
],
"details": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces. Reconciled Application namespaces are specified as a comma-delimited list of glob patterns. When sharding is enabled on the Application controller, it does not enforce that list of patterns when reconciling Applications. For example, if Application namespaces are configured to be argocd-*, the Application controller may reconcile an Application installed in a namespace called other, even though it does not start with argocd-. Reconciliation of the out-of-bounds Application is only triggered when the Application is updated, so the attacker must be able to cause an update operation on the Application resource. This bug only applies to users who have explicitly enabled the \"apps-in-any-namespace\" feature by setting `application.namespaces` in the argocd-cmd-params-cm ConfigMap or otherwise setting the `--application-namespaces` flags on the Application controller and API server components. The apps-in-any-namespace feature is in beta as of this Security Advisory\u0027s publish date. The bug is also limited to Argo CD instances where sharding is enabled by increasing the `replicas` count for the Application controller. Finally, the AppProjects\u0027 `sourceNamespaces` field acts as a secondary check against this exploit. To cause reconciliation of an Application in an out-of-bounds namespace, an AppProject must be available which permits Applications in the out-of-bounds namespace. A patch for this vulnerability has been released in versions 2.5.8 and 2.6.0-rc5. As a workaround, running only one replica of the Application controller will prevent exploitation of this bug. Making sure all AppProjects\u0027 sourceNamespaces are restricted within the confines of the configured Application namespaces will also prevent exploitation of this bug.",
"id": "GSD-2023-22736",
"modified": "2023-12-13T01:20:42.898556Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-22736",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "argo-cd",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003e= 2.5.0=rc1, \u003c 2.5.8"
},
{
"version_affected": "=",
"version_value": "= 2.6.0-rc4, \u003c 2.6.0-rc5"
}
]
}
}
]
},
"vendor_name": "argoproj"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces. Reconciled Application namespaces are specified as a comma-delimited list of glob patterns. When sharding is enabled on the Application controller, it does not enforce that list of patterns when reconciling Applications. For example, if Application namespaces are configured to be argocd-*, the Application controller may reconcile an Application installed in a namespace called other, even though it does not start with argocd-. Reconciliation of the out-of-bounds Application is only triggered when the Application is updated, so the attacker must be able to cause an update operation on the Application resource. This bug only applies to users who have explicitly enabled the \"apps-in-any-namespace\" feature by setting `application.namespaces` in the argocd-cmd-params-cm ConfigMap or otherwise setting the `--application-namespaces` flags on the Application controller and API server components. The apps-in-any-namespace feature is in beta as of this Security Advisory\u0027s publish date. The bug is also limited to Argo CD instances where sharding is enabled by increasing the `replicas` count for the Application controller. Finally, the AppProjects\u0027 `sourceNamespaces` field acts as a secondary check against this exploit. To cause reconciliation of an Application in an out-of-bounds namespace, an AppProject must be available which permits Applications in the out-of-bounds namespace. A patch for this vulnerability has been released in versions 2.5.8 and 2.6.0-rc5. As a workaround, running only one replica of the Application controller will prevent exploitation of this bug. Making sure all AppProjects\u0027 sourceNamespaces are restricted within the confines of the configured Application namespaces will also prevent exploitation of this bug."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-862",
"lang": "eng",
"value": "CWE-862: Missing Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw",
"refsource": "MISC",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw"
}
]
},
"source": {
"advisory": "GHSA-6p4m-hw2h-6gmw",
"discovery": "UNKNOWN"
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=v2.5.0-rc1 \u003cv2.5.8 || =v2.6.0-rc4",
"affected_versions": "All versions starting from 2.5.0-rc1 before 2.5.8, version 2.6.0-rc4",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2023-01-25",
"description": "All Argo CD versions starting with 2.5.0-rc1 is vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces.",
"fixed_versions": [
"v2.5.8",
"v2.6.0-rc5"
],
"identifier": "GMS-2023-135",
"identifiers": [
"GHSA-6p4m-hw2h-6gmw",
"GMS-2023-135",
"CVE-2023-22736"
],
"not_impacted": "All versions before 2.5.0-rc1, all versions starting from 2.5.8 before 2.6.0-rc4, all versions after 2.6.0-rc4",
"package_slug": "go/github.com/argoproj/argo-cd",
"pubdate": "2023-01-25",
"solution": "Upgrade to versions 2.5.8, 2.6.0-rc5 or above. *Note*: 2.6.0-rc5 may be an unstable version. Use caution.",
"title": "Controller reconciles apps outside configured namespaces when sharding is enabled",
"urls": [
"https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw",
"https://github.com/advisories/GHSA-6p4m-hw2h-6gmw"
],
"uuid": "1499aa11-59f1-4d5a-a54d-4f657d5b8440",
"versions": [
{
"commit": {
"sha": "2bf51f401d6700f8e8b9565d9fc3f66dcf60a0b6",
"tags": [
"v2.5.0-rc1"
],
"timestamp": "20221005165955"
},
"number": "v2.5.0-rc1"
},
{
"commit": {
"sha": "590ea32083e83f651f83f71ae4a1678476fca88c",
"tags": [
"v2.6.0-rc4"
],
"timestamp": "20230118021005"
},
"number": "v2.6.0-rc4"
},
{
"commit": {
"sha": "bbe870ff5904dd1cebeba6c5dcb7129ce7c2b5e2",
"tags": [
"stable",
"v2.5.8"
],
"timestamp": "20230125160115"
},
"number": "v2.5.8"
},
{
"commit": {
"sha": "e790028e5cf99d65d6896830fc4ca757c91ce0d5",
"tags": [
"v2.6.0-rc5"
],
"timestamp": "20230125174545"
},
"number": "v2.6.0-rc5"
}
]
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:2.6.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:2.6.0:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:2.6.0:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:2.6.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.5.8",
"versionStartIncluding": "2.5.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-22736"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces. Reconciled Application namespaces are specified as a comma-delimited list of glob patterns. When sharding is enabled on the Application controller, it does not enforce that list of patterns when reconciling Applications. For example, if Application namespaces are configured to be argocd-*, the Application controller may reconcile an Application installed in a namespace called other, even though it does not start with argocd-. Reconciliation of the out-of-bounds Application is only triggered when the Application is updated, so the attacker must be able to cause an update operation on the Application resource. This bug only applies to users who have explicitly enabled the \"apps-in-any-namespace\" feature by setting `application.namespaces` in the argocd-cmd-params-cm ConfigMap or otherwise setting the `--application-namespaces` flags on the Application controller and API server components. The apps-in-any-namespace feature is in beta as of this Security Advisory\u0027s publish date. The bug is also limited to Argo CD instances where sharding is enabled by increasing the `replicas` count for the Application controller. Finally, the AppProjects\u0027 `sourceNamespaces` field acts as a secondary check against this exploit. To cause reconciliation of an Application in an out-of-bounds namespace, an AppProject must be available which permits Applications in the out-of-bounds namespace. A patch for this vulnerability has been released in versions 2.5.8 and 2.6.0-rc5. As a workaround, running only one replica of the Application controller will prevent exploitation of this bug. Making sure all AppProjects\u0027 sourceNamespaces are restricted within the confines of the configured Application namespaces will also prevent exploitation of this bug."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 6.0
}
},
"lastModifiedDate": "2023-02-07T01:15Z",
"publishedDate": "2023-01-26T21:18Z"
}
}
}
rhsa-2023_0467
Vulnerability from csaf_redhat
Published
2023-01-25 20:31
Modified
2024-09-16 10:08
Summary
Red Hat Security Advisory: Red Hat OpenShift GitOps security update
Notes
Topic
An update is now available for Red Hat OpenShift GitOps 1.7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.
Security Fix(es):
* ArgoCD: JWT audience claim is not verified (CVE-2023-22482)
* ArgoCD: authorization bypass (CVE-2023-22736)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat OpenShift GitOps 1.7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.\n\nSecurity Fix(es):\n\n* ArgoCD: JWT audience claim is not verified (CVE-2023-22482)\n\n* ArgoCD: authorization bypass (CVE-2023-22736)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0467",
"url": "https://access.redhat.com/errata/RHSA-2023:0467"
},
{
"category": "external",
"summary": "https://docs.openshift.com/container-platform/latest/cicd/gitops/understanding-openshift-gitops.html",
"url": "https://docs.openshift.com/container-platform/latest/cicd/gitops/understanding-openshift-gitops.html"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2160492",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160492"
},
{
"category": "external",
"summary": "2162517",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162517"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_0467.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update",
"tracking": {
"current_release_date": "2024-09-16T10:08:19+00:00",
"generator": {
"date": "2024-09-16T10:08:19+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHSA-2023:0467",
"initial_release_date": "2023-01-25T20:31:53+00:00",
"revision_history": [
{
"date": "2023-01-25T20:31:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-25T20:31:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-16T10:08:19+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift GitOps 1.7",
"product": {
"name": "Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_gitops:1.7::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift GitOps"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64",
"product": {
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64",
"product_id": "openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64",
"product_identification_helper": {
"purl": "pkg:oci/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/console-plugin-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64",
"product": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64",
"product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.7.1-2"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le",
"product": {
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le",
"product_id": "openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/console-plugin-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.7.1-2"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x",
"product": {
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x",
"product_id": "openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x",
"product_identification_helper": {
"purl": "pkg:oci/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/console-plugin-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.7.1-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.7.1-2"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64 as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64 as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64"
},
"product_reference": "openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x"
},
"product_reference": "openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le"
},
"product_reference": "openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64 as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64 as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64"
},
"product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64 as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64 as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64 as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64",
"relates_to_product_reference": "8Base-GitOps-1.7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le as a component of Red Hat OpenShift GitOps 1.7",
"product_id": "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le",
"relates_to_product_reference": "8Base-GitOps-1.7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-22482",
"discovery_date": "2023-01-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160492"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ArgoCD. GitOps is vulnerable to an improper authorization bug where the API may accept invalid tokens. ID providers include an audience claim in signed tokens, which may be used to restrict which services can accept the token. ArgoCD doesn\u0027t properly validate the audience claim in such scenarios; if the ID provider used with ArgoCD is also being used with other audiences, it will accept tokens that may not be intended to access the ArgoCD cluster.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ArgoCD: JWT audience claim is not verified",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x"
],
"known_not_affected": [
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-22482"
},
{
"category": "external",
"summary": "RHBZ#2160492",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160492"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-22482",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22482"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-22482",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22482"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc"
}
],
"release_date": "2023-01-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0467"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ArgoCD: JWT audience claim is not verified"
},
{
"cve": "CVE-2023-22736",
"discovery_date": "2023-01-19T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2162517"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Red Hat GitOps, which is vulnerable to an authorization bypass in ArgoCD. This flaw allows users to deploy applications outside the allowed namespaces. The issue happens due to a logic error when interpreting the comma-separated namespaces list. To complete the attack, the attacker must have enough privileges to update deployed applications.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "argocd: Controller reconciles apps outside configured namespaces when sharding is enabled",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue only affects Red Hat GitOps version 1.7, as the vulnerability was introduced in ArgoCD-2.5.\nThis vulnerability affects only deployments with \"apps-in-any-namespace\" feature by setting application.namespaces in the argocd-cmd-params-cm ConfigMap or otherwise setting the --application-namespaces flags on the Application controller and API server components.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x"
],
"known_not_affected": [
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:1aee3b28612788811761b00bcffb97f899643b1ed2d624c4f5c023f2920b9164_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:dd0451c26897a5e03632b073f0e5b2e10d9665f160e071cff66d065c87bc1662_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:f31c15b113daafc9f52c3f3027ded69c45e69868c0ec7f4d51e498de38551e31_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:441063b467825b620cec873df9edfc5895580c7cd35852d121d15ac8901dc35a_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:a765f97e626340b468f37693caf160b9960520d54694dd66251e3d6221769abd_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:d24444f16c81aeeed12c4bce743c66bd4e754beb3d22a7e95e0e541b6b308688_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-operator-bundle@sha256:633538bbab3eb3e19e03ef72334547c8ac8456a5468822aab8afe4d5b05217ac_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:8290826e6b7d74c3128228469c4d65e7a888a748bb3ebfdc2a39e19e7a621e5d_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e042760919b6ccdc275f84bebd782155125ee059ebbbc81a61427ce2a41ea883_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e9baa10af98c0829ff5e1e34df62b19f7b75775fb80327610911a6ad74cdd041_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:139f2fe77640e8adfed2f94089863c6326f15eb7d346f66345dbee8aa296670c_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:5cca52e075a7eb625170bec1c6c4b3cc9ca2e831548b12c38797cb2430b8286b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:acacaa3a5164793fd5b8be4dad07b256372ccab79c5a9ca8742f95a6529f6fec_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:28674aa8339f438392b8a22764454d8fe6b84824198168eebd654c67217f1e19_s390x",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:cb0c68dc9fd79ce19f32b3f58a98af084158b4254d7e2884f5036d66328baefe_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:df3b6cb8ae5c120c915415dcd087fc73135ba1da0963c071a581f62d73dc9e6c_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-22736"
},
{
"category": "external",
"summary": "RHBZ#2162517",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162517"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-22736",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22736"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-22736",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22736"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw"
}
],
"release_date": "2023-01-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0467"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:5b2ffb708f897def6a30ce79bdd2a0752f9dc94604aa1cc00c3c09888d01dd9b_ppc64le",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:697fe3260ad43dd554f6092346c3f0106af0215211771e9b2172de8d24fd53d0_amd64",
"8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:cdda42e902ec80fa1011d50f0a92bfb1c4664eb2b7fc3c0973d0784f759b06b2_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "argocd: Controller reconciles apps outside configured namespaces when sharding is enabled"
}
]
}
wid-sec-w-2023-0201
Vulnerability from csaf_certbund
Published
2023-01-25 23:00
Modified
2023-01-25 23:00
Summary
Red Hat OpenShift: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Red Hat OpenShift ist eine "Platform as a Service" (PaaS) Lösung zur Bereitstellung von Applikationen in der Cloud.
Angriff
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Red Hat OpenShift ausnutzen, um Sicherheitsvorkehrungen zu umgehen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Red Hat OpenShift ist eine \"Platform as a Service\" (PaaS) L\u00f6sung zur Bereitstellung von Applikationen in der Cloud.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Red Hat OpenShift ausnutzen, um Sicherheitsvorkehrungen zu umgehen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2023-0201 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-0201.json"
},
{
"category": "self",
"summary": "WID-SEC-2023-0201 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0201"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0468 vom 2023-01-25",
"url": "https://access.redhat.com/errata/RHSA-2023:0468"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0467 vom 2023-01-25",
"url": "https://access.redhat.com/errata/RHSA-2023:0467"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2023:0466 vom 2023-01-25",
"url": "https://access.redhat.com/errata/RHSA-2023:0466"
}
],
"source_lang": "en-US",
"title": "Red Hat OpenShift: Mehrere Schwachstellen erm\u00f6glichen Umgehen von Sicherheitsvorkehrungen",
"tracking": {
"current_release_date": "2023-01-25T23:00:00.000+00:00",
"generator": {
"date": "2024-02-15T17:11:43.576+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.0"
}
},
"id": "WID-SEC-W-2023-0201",
"initial_release_date": "2023-01-25T23:00:00.000+00:00",
"revision_history": [
{
"date": "2023-01-25T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift \u003c GitOps 1.5.9",
"product": {
"name": "Red Hat OpenShift \u003c GitOps 1.5.9",
"product_id": "T026033",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:gitops_1.5.9"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift \u003c GitOps 1.6.4",
"product": {
"name": "Red Hat OpenShift \u003c GitOps 1.6.4",
"product_id": "T026034",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:gitops_1.6.4"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift \u003c GitOps 1.7",
"product": {
"name": "Red Hat OpenShift \u003c GitOps 1.7",
"product_id": "T026035",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:gitops_1.7"
}
}
}
],
"category": "product_name",
"name": "OpenShift"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-22736",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in Red Hat OpenShift GitOps. Es besteht ein Fehler in einer API der Komponente \"ArgoCD\", welche eine Umgehung der Authentisierung erm\u00f6glicht. Dabei ist es m\u00f6glich Applikationen au\u00dferhalb von angegeben Bereichen zu starten. Ein entfernter, authentisierter Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsvorkehrungen zu umgehen."
}
],
"release_date": "2023-01-25T23:00:00Z",
"title": "CVE-2023-22736"
},
{
"cve": "CVE-2023-22482",
"notes": [
{
"category": "description",
"text": "Es existiert eine Schwachstelle in Red Hat OpenShift GitOps. Diese ist auf einen Fehler bei der Authentisierung in der Komponente \"ArgoCD\" zur\u00fcckzuf\u00fchren. Ein entfernter, anonymer Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsvorkehrungen zu umgehen."
}
],
"release_date": "2023-01-25T23:00:00Z",
"title": "CVE-2023-22482"
}
]
}
Loading...