Action not permitted
Modal body text goes here.
cve-2023-23947
Vulnerability from cvelistv5
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T10:49:08.348Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j" }, { "name": "https://github.com/argoproj/argo-cd/commit/fbb0b99b1ac3361b253052bd30259fa43a520945", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/argoproj/argo-cd/commit/fbb0b99b1ac3361b253052bd30259fa43a520945" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "argo-cd", "vendor": "argoproj", "versions": [ { "status": "affected", "version": "\u003e= 2.3.0-rc1, \u003c 2.3.17" }, { "status": "affected", "version": "\u003e= 2.4.0, \u003c 2.4.23" }, { "status": "affected", "version": "\u003e= 2.5.0, \u003c 2.5.11" }, { "status": "affected", "version": "\u003e= 2.6.0, \u003c 2.6.2" } ] } ], "descriptions": [ { "lang": "en", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters). A patch for this vulnerability has been released in Argo CD versions 2.6.2, 2.5.11, 2.4.23, and 2.3.17. Two workarounds are available. Either modify the RBAC configuration to completely revoke all `clusters, update` access, or use the `destinations` and `clusterResourceWhitelist` fields to apply similar restrictions as the `namespaces` and `clusterResources` fields." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-02-16T17:39:27.574Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j" }, { "name": "https://github.com/argoproj/argo-cd/commit/fbb0b99b1ac3361b253052bd30259fa43a520945", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/argoproj/argo-cd/commit/fbb0b99b1ac3361b253052bd30259fa43a520945" } ], "source": { "advisory": "GHSA-3jfq-742w-xg8j", "discovery": "UNKNOWN" }, "title": "Argo CD users with any cluster secret update access may update out-of-bounds cluster secrets" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-23947", "datePublished": "2023-02-16T17:39:27.574Z", "dateReserved": "2023-01-19T21:12:31.362Z", "dateUpdated": "2024-08-02T10:49:08.348Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2023-23947\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-02-16T18:15:11.310\",\"lastModified\":\"2024-08-07T15:43:51.540\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters). A patch for this vulnerability has been released in Argo CD versions 2.6.2, 2.5.11, 2.4.23, and 2.3.17. Two workarounds are available. Either modify the RBAC configuration to completely revoke all `clusters, update` access, or use the `destinations` and `clusterResourceWhitelist` fields to apply similar restrictions as the `namespaces` and `clusterResources` fields.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":6.0},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":9.1,\"baseSeverity\":\"CRITICAL\"},\"exploitabilityScore\":2.3,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.3.0\",\"versionEndExcluding\":\"2.3.17\",\"matchCriteriaId\":\"01F0F9FB-9877-4CA3-A9F1-1C8B79E3DC3D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.4.0\",\"versionEndExcluding\":\"2.4.23\",\"matchCriteriaId\":\"F32C8974-5576-4D8A-8286-DA7EC6F6DA2B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.5.0\",\"versionEndExcluding\":\"2.5.11\",\"matchCriteriaId\":\"875E38E1-72CE-4DEC-AAE1-B89574E46C1B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.6.0\",\"versionEndExcluding\":\"2.6.2\",\"matchCriteriaId\":\"4E764C4A-38DB-468D-88BB-F1E9C1E2CDD7\"}]}]}],\"references\":[{\"url\":\"https://github.com/argoproj/argo-cd/commit/fbb0b99b1ac3361b253052bd30259fa43a520945\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}" } }
rhsa-2023_0803
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat OpenShift GitOps 1.7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Security Fix(es):\n\n* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238)\n\n* go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents (CVE-2022-3064)\n\n* ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets (CVE-2023-23947)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:0803", "url": "https://access.redhat.com/errata/RHSA-2023:0803" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "2156729", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156729" }, { "category": "external", "summary": "2163037", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2163037" }, { "category": "external", "summary": "2167819", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2167819" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0803.json" } ], "title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update", "tracking": { "current_release_date": "2024-11-06T02:27:37+00:00", "generator": { "date": "2024-11-06T02:27:37+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2023:0803", "initial_release_date": "2023-02-17T03:46:17+00:00", "revision_history": [ { "date": "2023-02-17T03:46:17+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-02-17T03:46:17+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T02:27:37+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift GitOps 1.7", "product": { "name": "Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift_gitops:1.7::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift GitOps" }, { "branches": [ { "category": "product_version", "name": "openshift-gitops-1/argocd-rhel8@sha256:eb9a7c5dcc7ef24a113743cbae3749830be6cf9116fffd591c8e244f47a5b3c8_ppc64le", "product": { "name": "openshift-gitops-1/argocd-rhel8@sha256:eb9a7c5dcc7ef24a113743cbae3749830be6cf9116fffd591c8e244f47a5b3c8_ppc64le", "product_id": "openshift-gitops-1/argocd-rhel8@sha256:eb9a7c5dcc7ef24a113743cbae3749830be6cf9116fffd591c8e244f47a5b3c8_ppc64le", "product_identification_helper": { "purl": "pkg:oci/argocd-rhel8@sha256:eb9a7c5dcc7ef24a113743cbae3749830be6cf9116fffd591c8e244f47a5b3c8?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.7.2-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/console-plugin-rhel8@sha256:243698a0d707846209c9fbdccfc27d856c69c7fedc986244e67e15b3753c376e_ppc64le", "product": { "name": "openshift-gitops-1/console-plugin-rhel8@sha256:243698a0d707846209c9fbdccfc27d856c69c7fedc986244e67e15b3753c376e_ppc64le", "product_id": "openshift-gitops-1/console-plugin-rhel8@sha256:243698a0d707846209c9fbdccfc27d856c69c7fedc986244e67e15b3753c376e_ppc64le", "product_identification_helper": { "purl": "pkg:oci/console-plugin-rhel8@sha256:243698a0d707846209c9fbdccfc27d856c69c7fedc986244e67e15b3753c376e?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/console-plugin-rhel8\u0026tag=v1.7.2-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/gitops-rhel8@sha256:7847ed11dda4ee9dda0cc5acf4e1a2d53daee2f7eb1eeceed107d9f5f0eafdeb_ppc64le", "product": { "name": "openshift-gitops-1/gitops-rhel8@sha256:7847ed11dda4ee9dda0cc5acf4e1a2d53daee2f7eb1eeceed107d9f5f0eafdeb_ppc64le", "product_id": "openshift-gitops-1/gitops-rhel8@sha256:7847ed11dda4ee9dda0cc5acf4e1a2d53daee2f7eb1eeceed107d9f5f0eafdeb_ppc64le", "product_identification_helper": { "purl": "pkg:oci/gitops-rhel8@sha256:7847ed11dda4ee9dda0cc5acf4e1a2d53daee2f7eb1eeceed107d9f5f0eafdeb?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.7.2-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/dex-rhel8@sha256:c113d9688c45115124e4b54e670ac23309214a8bbc7be45dd247e01144bada1b_ppc64le", "product": { "name": "openshift-gitops-1/dex-rhel8@sha256:c113d9688c45115124e4b54e670ac23309214a8bbc7be45dd247e01144bada1b_ppc64le", "product_id": "openshift-gitops-1/dex-rhel8@sha256:c113d9688c45115124e4b54e670ac23309214a8bbc7be45dd247e01144bada1b_ppc64le", "product_identification_helper": { "purl": "pkg:oci/dex-rhel8@sha256:c113d9688c45115124e4b54e670ac23309214a8bbc7be45dd247e01144bada1b?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.7.2-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:6cb64efe25cd6c41abe9a58176ec103a9801a8e72594396988865995cef01279_ppc64le", "product": { "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:6cb64efe25cd6c41abe9a58176ec103a9801a8e72594396988865995cef01279_ppc64le", "product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:6cb64efe25cd6c41abe9a58176ec103a9801a8e72594396988865995cef01279_ppc64le", "product_identification_helper": { "purl": "pkg:oci/kam-delivery-rhel8@sha256:6cb64efe25cd6c41abe9a58176ec103a9801a8e72594396988865995cef01279?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.7.2-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:bbf970d916e70f6c355a0f46d5aebac7a40bb7a8d0f3c88e54b4c9594a148609_ppc64le", "product": { "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:bbf970d916e70f6c355a0f46d5aebac7a40bb7a8d0f3c88e54b4c9594a148609_ppc64le", "product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:bbf970d916e70f6c355a0f46d5aebac7a40bb7a8d0f3c88e54b4c9594a148609_ppc64le", "product_identification_helper": { "purl": "pkg:oci/gitops-rhel8-operator@sha256:bbf970d916e70f6c355a0f46d5aebac7a40bb7a8d0f3c88e54b4c9594a148609?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.7.2-5" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "openshift-gitops-1/argocd-rhel8@sha256:98f30bf044386bb6343a266829e40b4fdc9bd83ad4f8139d103f939b5a527b7d_amd64", "product": { "name": "openshift-gitops-1/argocd-rhel8@sha256:98f30bf044386bb6343a266829e40b4fdc9bd83ad4f8139d103f939b5a527b7d_amd64", "product_id": "openshift-gitops-1/argocd-rhel8@sha256:98f30bf044386bb6343a266829e40b4fdc9bd83ad4f8139d103f939b5a527b7d_amd64", "product_identification_helper": { "purl": "pkg:oci/argocd-rhel8@sha256:98f30bf044386bb6343a266829e40b4fdc9bd83ad4f8139d103f939b5a527b7d?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.7.2-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/console-plugin-rhel8@sha256:91462e656b5eb2a043dd47730bdf143eceb9f92f14dff3ea88f6a622e8cdbc1b_amd64", "product": { "name": "openshift-gitops-1/console-plugin-rhel8@sha256:91462e656b5eb2a043dd47730bdf143eceb9f92f14dff3ea88f6a622e8cdbc1b_amd64", "product_id": "openshift-gitops-1/console-plugin-rhel8@sha256:91462e656b5eb2a043dd47730bdf143eceb9f92f14dff3ea88f6a622e8cdbc1b_amd64", "product_identification_helper": { "purl": "pkg:oci/console-plugin-rhel8@sha256:91462e656b5eb2a043dd47730bdf143eceb9f92f14dff3ea88f6a622e8cdbc1b?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/console-plugin-rhel8\u0026tag=v1.7.2-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/gitops-rhel8@sha256:1bad76a860f3797db87162a6f5ecb62779211dff9aaefdce00cf18cff1eec04f_amd64", "product": { "name": "openshift-gitops-1/gitops-rhel8@sha256:1bad76a860f3797db87162a6f5ecb62779211dff9aaefdce00cf18cff1eec04f_amd64", "product_id": "openshift-gitops-1/gitops-rhel8@sha256:1bad76a860f3797db87162a6f5ecb62779211dff9aaefdce00cf18cff1eec04f_amd64", "product_identification_helper": { "purl": "pkg:oci/gitops-rhel8@sha256:1bad76a860f3797db87162a6f5ecb62779211dff9aaefdce00cf18cff1eec04f?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.7.2-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/dex-rhel8@sha256:599d4876fdd9154183ea550dedbd29e2f62bc54ebef39f863c4e6340caa321cc_amd64", "product": { "name": "openshift-gitops-1/dex-rhel8@sha256:599d4876fdd9154183ea550dedbd29e2f62bc54ebef39f863c4e6340caa321cc_amd64", "product_id": "openshift-gitops-1/dex-rhel8@sha256:599d4876fdd9154183ea550dedbd29e2f62bc54ebef39f863c4e6340caa321cc_amd64", "product_identification_helper": { "purl": "pkg:oci/dex-rhel8@sha256:599d4876fdd9154183ea550dedbd29e2f62bc54ebef39f863c4e6340caa321cc?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.7.2-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:6239f8b5efd6839cd1dfc8f032b005cc5cefcb7a94dba9508d749cbbe7306e30_amd64", "product": { "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:6239f8b5efd6839cd1dfc8f032b005cc5cefcb7a94dba9508d749cbbe7306e30_amd64", "product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:6239f8b5efd6839cd1dfc8f032b005cc5cefcb7a94dba9508d749cbbe7306e30_amd64", "product_identification_helper": { "purl": "pkg:oci/kam-delivery-rhel8@sha256:6239f8b5efd6839cd1dfc8f032b005cc5cefcb7a94dba9508d749cbbe7306e30?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.7.2-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/gitops-operator-bundle@sha256:ec0dba75d110318fe1513346982468591412b61e40e9dd8c9436f586977f0225_amd64", "product": { "name": "openshift-gitops-1/gitops-operator-bundle@sha256:ec0dba75d110318fe1513346982468591412b61e40e9dd8c9436f586977f0225_amd64", "product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:ec0dba75d110318fe1513346982468591412b61e40e9dd8c9436f586977f0225_amd64", "product_identification_helper": { "purl": "pkg:oci/gitops-operator-bundle@sha256:ec0dba75d110318fe1513346982468591412b61e40e9dd8c9436f586977f0225?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.7.2-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e1ad747e6897f848bb678149f793381ba939580b6ea3d3e402862730e0167bbf_amd64", "product": { "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e1ad747e6897f848bb678149f793381ba939580b6ea3d3e402862730e0167bbf_amd64", "product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:e1ad747e6897f848bb678149f793381ba939580b6ea3d3e402862730e0167bbf_amd64", "product_identification_helper": { "purl": "pkg:oci/gitops-rhel8-operator@sha256:e1ad747e6897f848bb678149f793381ba939580b6ea3d3e402862730e0167bbf?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.7.2-5" } } } ], "category": "architecture", "name": "amd64" }, { "branches": [ { "category": "product_version", "name": "openshift-gitops-1/argocd-rhel8@sha256:1162e57874f39e1edbed8db181ec06edef1585a2f643f0121fcdd291059345d8_s390x", "product": { "name": "openshift-gitops-1/argocd-rhel8@sha256:1162e57874f39e1edbed8db181ec06edef1585a2f643f0121fcdd291059345d8_s390x", "product_id": "openshift-gitops-1/argocd-rhel8@sha256:1162e57874f39e1edbed8db181ec06edef1585a2f643f0121fcdd291059345d8_s390x", "product_identification_helper": { "purl": "pkg:oci/argocd-rhel8@sha256:1162e57874f39e1edbed8db181ec06edef1585a2f643f0121fcdd291059345d8?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.7.2-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/console-plugin-rhel8@sha256:d14e75f35f7379306ed5c2bdde1faedf5f2a9f2ddee9e7e287e9e4a488578997_s390x", "product": { "name": "openshift-gitops-1/console-plugin-rhel8@sha256:d14e75f35f7379306ed5c2bdde1faedf5f2a9f2ddee9e7e287e9e4a488578997_s390x", "product_id": "openshift-gitops-1/console-plugin-rhel8@sha256:d14e75f35f7379306ed5c2bdde1faedf5f2a9f2ddee9e7e287e9e4a488578997_s390x", "product_identification_helper": { "purl": "pkg:oci/console-plugin-rhel8@sha256:d14e75f35f7379306ed5c2bdde1faedf5f2a9f2ddee9e7e287e9e4a488578997?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/console-plugin-rhel8\u0026tag=v1.7.2-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/gitops-rhel8@sha256:e8d07649283ee58baee5787fb91be7306a4647ceafda8e29e34c164910af5de0_s390x", "product": { "name": "openshift-gitops-1/gitops-rhel8@sha256:e8d07649283ee58baee5787fb91be7306a4647ceafda8e29e34c164910af5de0_s390x", "product_id": "openshift-gitops-1/gitops-rhel8@sha256:e8d07649283ee58baee5787fb91be7306a4647ceafda8e29e34c164910af5de0_s390x", "product_identification_helper": { "purl": "pkg:oci/gitops-rhel8@sha256:e8d07649283ee58baee5787fb91be7306a4647ceafda8e29e34c164910af5de0?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.7.2-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/dex-rhel8@sha256:87ea07546cd74311850546c8a798d49c6d206b6bf40971981d6c9449aeb5399c_s390x", "product": { "name": "openshift-gitops-1/dex-rhel8@sha256:87ea07546cd74311850546c8a798d49c6d206b6bf40971981d6c9449aeb5399c_s390x", "product_id": "openshift-gitops-1/dex-rhel8@sha256:87ea07546cd74311850546c8a798d49c6d206b6bf40971981d6c9449aeb5399c_s390x", "product_identification_helper": { "purl": "pkg:oci/dex-rhel8@sha256:87ea07546cd74311850546c8a798d49c6d206b6bf40971981d6c9449aeb5399c?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.7.2-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:0512e79564b78645f9f5c9eefb81c2c22f13a1b320dbd4eb5eb25f6c66096b25_s390x", "product": { "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:0512e79564b78645f9f5c9eefb81c2c22f13a1b320dbd4eb5eb25f6c66096b25_s390x", "product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:0512e79564b78645f9f5c9eefb81c2c22f13a1b320dbd4eb5eb25f6c66096b25_s390x", "product_identification_helper": { "purl": "pkg:oci/kam-delivery-rhel8@sha256:0512e79564b78645f9f5c9eefb81c2c22f13a1b320dbd4eb5eb25f6c66096b25?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.7.2-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:b5cb00fc43571269aad5ecf0a778ec139a86ee5dcea0f9ab0f9aa8359a8cd544_s390x", "product": { "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:b5cb00fc43571269aad5ecf0a778ec139a86ee5dcea0f9ab0f9aa8359a8cd544_s390x", "product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:b5cb00fc43571269aad5ecf0a778ec139a86ee5dcea0f9ab0f9aa8359a8cd544_s390x", "product_identification_helper": { "purl": "pkg:oci/gitops-rhel8-operator@sha256:b5cb00fc43571269aad5ecf0a778ec139a86ee5dcea0f9ab0f9aa8359a8cd544?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.7.2-5" } } } ], "category": "architecture", "name": "s390x" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/argocd-rhel8@sha256:1162e57874f39e1edbed8db181ec06edef1585a2f643f0121fcdd291059345d8_s390x as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:1162e57874f39e1edbed8db181ec06edef1585a2f643f0121fcdd291059345d8_s390x" }, "product_reference": "openshift-gitops-1/argocd-rhel8@sha256:1162e57874f39e1edbed8db181ec06edef1585a2f643f0121fcdd291059345d8_s390x", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/argocd-rhel8@sha256:98f30bf044386bb6343a266829e40b4fdc9bd83ad4f8139d103f939b5a527b7d_amd64 as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:98f30bf044386bb6343a266829e40b4fdc9bd83ad4f8139d103f939b5a527b7d_amd64" }, "product_reference": "openshift-gitops-1/argocd-rhel8@sha256:98f30bf044386bb6343a266829e40b4fdc9bd83ad4f8139d103f939b5a527b7d_amd64", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/argocd-rhel8@sha256:eb9a7c5dcc7ef24a113743cbae3749830be6cf9116fffd591c8e244f47a5b3c8_ppc64le as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:eb9a7c5dcc7ef24a113743cbae3749830be6cf9116fffd591c8e244f47a5b3c8_ppc64le" }, "product_reference": "openshift-gitops-1/argocd-rhel8@sha256:eb9a7c5dcc7ef24a113743cbae3749830be6cf9116fffd591c8e244f47a5b3c8_ppc64le", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/console-plugin-rhel8@sha256:243698a0d707846209c9fbdccfc27d856c69c7fedc986244e67e15b3753c376e_ppc64le as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:243698a0d707846209c9fbdccfc27d856c69c7fedc986244e67e15b3753c376e_ppc64le" }, "product_reference": "openshift-gitops-1/console-plugin-rhel8@sha256:243698a0d707846209c9fbdccfc27d856c69c7fedc986244e67e15b3753c376e_ppc64le", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/console-plugin-rhel8@sha256:91462e656b5eb2a043dd47730bdf143eceb9f92f14dff3ea88f6a622e8cdbc1b_amd64 as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:91462e656b5eb2a043dd47730bdf143eceb9f92f14dff3ea88f6a622e8cdbc1b_amd64" }, "product_reference": "openshift-gitops-1/console-plugin-rhel8@sha256:91462e656b5eb2a043dd47730bdf143eceb9f92f14dff3ea88f6a622e8cdbc1b_amd64", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/console-plugin-rhel8@sha256:d14e75f35f7379306ed5c2bdde1faedf5f2a9f2ddee9e7e287e9e4a488578997_s390x as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:d14e75f35f7379306ed5c2bdde1faedf5f2a9f2ddee9e7e287e9e4a488578997_s390x" }, "product_reference": "openshift-gitops-1/console-plugin-rhel8@sha256:d14e75f35f7379306ed5c2bdde1faedf5f2a9f2ddee9e7e287e9e4a488578997_s390x", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/dex-rhel8@sha256:599d4876fdd9154183ea550dedbd29e2f62bc54ebef39f863c4e6340caa321cc_amd64 as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:599d4876fdd9154183ea550dedbd29e2f62bc54ebef39f863c4e6340caa321cc_amd64" }, "product_reference": "openshift-gitops-1/dex-rhel8@sha256:599d4876fdd9154183ea550dedbd29e2f62bc54ebef39f863c4e6340caa321cc_amd64", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/dex-rhel8@sha256:87ea07546cd74311850546c8a798d49c6d206b6bf40971981d6c9449aeb5399c_s390x as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:87ea07546cd74311850546c8a798d49c6d206b6bf40971981d6c9449aeb5399c_s390x" }, "product_reference": "openshift-gitops-1/dex-rhel8@sha256:87ea07546cd74311850546c8a798d49c6d206b6bf40971981d6c9449aeb5399c_s390x", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/dex-rhel8@sha256:c113d9688c45115124e4b54e670ac23309214a8bbc7be45dd247e01144bada1b_ppc64le as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:c113d9688c45115124e4b54e670ac23309214a8bbc7be45dd247e01144bada1b_ppc64le" }, "product_reference": "openshift-gitops-1/dex-rhel8@sha256:c113d9688c45115124e4b54e670ac23309214a8bbc7be45dd247e01144bada1b_ppc64le", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/gitops-operator-bundle@sha256:ec0dba75d110318fe1513346982468591412b61e40e9dd8c9436f586977f0225_amd64 as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-operator-bundle@sha256:ec0dba75d110318fe1513346982468591412b61e40e9dd8c9436f586977f0225_amd64" }, "product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:ec0dba75d110318fe1513346982468591412b61e40e9dd8c9436f586977f0225_amd64", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:b5cb00fc43571269aad5ecf0a778ec139a86ee5dcea0f9ab0f9aa8359a8cd544_s390x as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:b5cb00fc43571269aad5ecf0a778ec139a86ee5dcea0f9ab0f9aa8359a8cd544_s390x" }, "product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:b5cb00fc43571269aad5ecf0a778ec139a86ee5dcea0f9ab0f9aa8359a8cd544_s390x", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:bbf970d916e70f6c355a0f46d5aebac7a40bb7a8d0f3c88e54b4c9594a148609_ppc64le as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:bbf970d916e70f6c355a0f46d5aebac7a40bb7a8d0f3c88e54b4c9594a148609_ppc64le" }, "product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:bbf970d916e70f6c355a0f46d5aebac7a40bb7a8d0f3c88e54b4c9594a148609_ppc64le", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e1ad747e6897f848bb678149f793381ba939580b6ea3d3e402862730e0167bbf_amd64 as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e1ad747e6897f848bb678149f793381ba939580b6ea3d3e402862730e0167bbf_amd64" }, "product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:e1ad747e6897f848bb678149f793381ba939580b6ea3d3e402862730e0167bbf_amd64", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/gitops-rhel8@sha256:1bad76a860f3797db87162a6f5ecb62779211dff9aaefdce00cf18cff1eec04f_amd64 as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:1bad76a860f3797db87162a6f5ecb62779211dff9aaefdce00cf18cff1eec04f_amd64" }, "product_reference": "openshift-gitops-1/gitops-rhel8@sha256:1bad76a860f3797db87162a6f5ecb62779211dff9aaefdce00cf18cff1eec04f_amd64", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/gitops-rhel8@sha256:7847ed11dda4ee9dda0cc5acf4e1a2d53daee2f7eb1eeceed107d9f5f0eafdeb_ppc64le as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:7847ed11dda4ee9dda0cc5acf4e1a2d53daee2f7eb1eeceed107d9f5f0eafdeb_ppc64le" }, "product_reference": "openshift-gitops-1/gitops-rhel8@sha256:7847ed11dda4ee9dda0cc5acf4e1a2d53daee2f7eb1eeceed107d9f5f0eafdeb_ppc64le", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/gitops-rhel8@sha256:e8d07649283ee58baee5787fb91be7306a4647ceafda8e29e34c164910af5de0_s390x as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:e8d07649283ee58baee5787fb91be7306a4647ceafda8e29e34c164910af5de0_s390x" }, "product_reference": "openshift-gitops-1/gitops-rhel8@sha256:e8d07649283ee58baee5787fb91be7306a4647ceafda8e29e34c164910af5de0_s390x", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:0512e79564b78645f9f5c9eefb81c2c22f13a1b320dbd4eb5eb25f6c66096b25_s390x as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:0512e79564b78645f9f5c9eefb81c2c22f13a1b320dbd4eb5eb25f6c66096b25_s390x" }, "product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:0512e79564b78645f9f5c9eefb81c2c22f13a1b320dbd4eb5eb25f6c66096b25_s390x", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:6239f8b5efd6839cd1dfc8f032b005cc5cefcb7a94dba9508d749cbbe7306e30_amd64 as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:6239f8b5efd6839cd1dfc8f032b005cc5cefcb7a94dba9508d749cbbe7306e30_amd64" }, "product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:6239f8b5efd6839cd1dfc8f032b005cc5cefcb7a94dba9508d749cbbe7306e30_amd64", "relates_to_product_reference": "8Base-GitOps-1.7" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:6cb64efe25cd6c41abe9a58176ec103a9801a8e72594396988865995cef01279_ppc64le as a component of Red Hat OpenShift GitOps 1.7", "product_id": "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:6cb64efe25cd6c41abe9a58176ec103a9801a8e72594396988865995cef01279_ppc64le" }, "product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:6cb64efe25cd6c41abe9a58176ec103a9801a8e72594396988865995cef01279_ppc64le", "relates_to_product_reference": "8Base-GitOps-1.7" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4238", "cwe": { "id": "CWE-331", "name": "Insufficient Entropy" }, "discovery_date": "2022-12-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:243698a0d707846209c9fbdccfc27d856c69c7fedc986244e67e15b3753c376e_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:91462e656b5eb2a043dd47730bdf143eceb9f92f14dff3ea88f6a622e8cdbc1b_amd64", "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:d14e75f35f7379306ed5c2bdde1faedf5f2a9f2ddee9e7e287e9e4a488578997_s390x", "8Base-GitOps-1.7:openshift-gitops-1/gitops-operator-bundle@sha256:ec0dba75d110318fe1513346982468591412b61e40e9dd8c9436f586977f0225_amd64", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:1bad76a860f3797db87162a6f5ecb62779211dff9aaefdce00cf18cff1eec04f_amd64", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:7847ed11dda4ee9dda0cc5acf4e1a2d53daee2f7eb1eeceed107d9f5f0eafdeb_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:e8d07649283ee58baee5787fb91be7306a4647ceafda8e29e34c164910af5de0_s390x" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2156729" } ], "notes": [ { "category": "description", "text": "A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issue significantly reduces the amount of entropy generated in short strings by these functions.", "title": "Vulnerability description" }, { "category": "summary", "text": "goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:1162e57874f39e1edbed8db181ec06edef1585a2f643f0121fcdd291059345d8_s390x", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:98f30bf044386bb6343a266829e40b4fdc9bd83ad4f8139d103f939b5a527b7d_amd64", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:eb9a7c5dcc7ef24a113743cbae3749830be6cf9116fffd591c8e244f47a5b3c8_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:599d4876fdd9154183ea550dedbd29e2f62bc54ebef39f863c4e6340caa321cc_amd64", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:87ea07546cd74311850546c8a798d49c6d206b6bf40971981d6c9449aeb5399c_s390x", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:c113d9688c45115124e4b54e670ac23309214a8bbc7be45dd247e01144bada1b_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:b5cb00fc43571269aad5ecf0a778ec139a86ee5dcea0f9ab0f9aa8359a8cd544_s390x", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:bbf970d916e70f6c355a0f46d5aebac7a40bb7a8d0f3c88e54b4c9594a148609_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e1ad747e6897f848bb678149f793381ba939580b6ea3d3e402862730e0167bbf_amd64", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:0512e79564b78645f9f5c9eefb81c2c22f13a1b320dbd4eb5eb25f6c66096b25_s390x", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:6239f8b5efd6839cd1dfc8f032b005cc5cefcb7a94dba9508d749cbbe7306e30_amd64", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:6cb64efe25cd6c41abe9a58176ec103a9801a8e72594396988865995cef01279_ppc64le" ], "known_not_affected": [ "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:243698a0d707846209c9fbdccfc27d856c69c7fedc986244e67e15b3753c376e_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:91462e656b5eb2a043dd47730bdf143eceb9f92f14dff3ea88f6a622e8cdbc1b_amd64", "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:d14e75f35f7379306ed5c2bdde1faedf5f2a9f2ddee9e7e287e9e4a488578997_s390x", "8Base-GitOps-1.7:openshift-gitops-1/gitops-operator-bundle@sha256:ec0dba75d110318fe1513346982468591412b61e40e9dd8c9436f586977f0225_amd64", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:1bad76a860f3797db87162a6f5ecb62779211dff9aaefdce00cf18cff1eec04f_amd64", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:7847ed11dda4ee9dda0cc5acf4e1a2d53daee2f7eb1eeceed107d9f5f0eafdeb_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:e8d07649283ee58baee5787fb91be7306a4647ceafda8e29e34c164910af5de0_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4238" }, { "category": "external", "summary": "RHBZ#2156729", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156729" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4238", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4238" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4238", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4238" }, { "category": "external", "summary": "https://github.com/Masterminds/goutils/commit/869801f20f9f1e7ecdbdb6422049d8241270d5e1", "url": "https://github.com/Masterminds/goutils/commit/869801f20f9f1e7ecdbdb6422049d8241270d5e1" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-3839-6r69-m497", "url": "https://github.com/advisories/GHSA-3839-6r69-m497" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2022-0411", "url": "https://pkg.go.dev/vuln/GO-2022-0411" } ], "release_date": "2022-12-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-17T03:46:17+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:1162e57874f39e1edbed8db181ec06edef1585a2f643f0121fcdd291059345d8_s390x", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:98f30bf044386bb6343a266829e40b4fdc9bd83ad4f8139d103f939b5a527b7d_amd64", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:eb9a7c5dcc7ef24a113743cbae3749830be6cf9116fffd591c8e244f47a5b3c8_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:599d4876fdd9154183ea550dedbd29e2f62bc54ebef39f863c4e6340caa321cc_amd64", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:87ea07546cd74311850546c8a798d49c6d206b6bf40971981d6c9449aeb5399c_s390x", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:c113d9688c45115124e4b54e670ac23309214a8bbc7be45dd247e01144bada1b_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:b5cb00fc43571269aad5ecf0a778ec139a86ee5dcea0f9ab0f9aa8359a8cd544_s390x", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:bbf970d916e70f6c355a0f46d5aebac7a40bb7a8d0f3c88e54b4c9594a148609_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e1ad747e6897f848bb678149f793381ba939580b6ea3d3e402862730e0167bbf_amd64", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:0512e79564b78645f9f5c9eefb81c2c22f13a1b320dbd4eb5eb25f6c66096b25_s390x", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:6239f8b5efd6839cd1dfc8f032b005cc5cefcb7a94dba9508d749cbbe7306e30_amd64", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:6cb64efe25cd6c41abe9a58176ec103a9801a8e72594396988865995cef01279_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0803" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1" }, "products": [ "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:1162e57874f39e1edbed8db181ec06edef1585a2f643f0121fcdd291059345d8_s390x", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:98f30bf044386bb6343a266829e40b4fdc9bd83ad4f8139d103f939b5a527b7d_amd64", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:eb9a7c5dcc7ef24a113743cbae3749830be6cf9116fffd591c8e244f47a5b3c8_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:599d4876fdd9154183ea550dedbd29e2f62bc54ebef39f863c4e6340caa321cc_amd64", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:87ea07546cd74311850546c8a798d49c6d206b6bf40971981d6c9449aeb5399c_s390x", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:c113d9688c45115124e4b54e670ac23309214a8bbc7be45dd247e01144bada1b_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:b5cb00fc43571269aad5ecf0a778ec139a86ee5dcea0f9ab0f9aa8359a8cd544_s390x", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:bbf970d916e70f6c355a0f46d5aebac7a40bb7a8d0f3c88e54b4c9594a148609_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e1ad747e6897f848bb678149f793381ba939580b6ea3d3e402862730e0167bbf_amd64", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:0512e79564b78645f9f5c9eefb81c2c22f13a1b320dbd4eb5eb25f6c66096b25_s390x", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:6239f8b5efd6839cd1dfc8f032b005cc5cefcb7a94dba9508d749cbbe7306e30_amd64", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:6cb64efe25cd6c41abe9a58176ec103a9801a8e72594396988865995cef01279_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be" }, { "cve": "CVE-2022-3064", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-01-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:243698a0d707846209c9fbdccfc27d856c69c7fedc986244e67e15b3753c376e_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:91462e656b5eb2a043dd47730bdf143eceb9f92f14dff3ea88f6a622e8cdbc1b_amd64", "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:d14e75f35f7379306ed5c2bdde1faedf5f2a9f2ddee9e7e287e9e4a488578997_s390x", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:599d4876fdd9154183ea550dedbd29e2f62bc54ebef39f863c4e6340caa321cc_amd64", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:87ea07546cd74311850546c8a798d49c6d206b6bf40971981d6c9449aeb5399c_s390x", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:c113d9688c45115124e4b54e670ac23309214a8bbc7be45dd247e01144bada1b_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-operator-bundle@sha256:ec0dba75d110318fe1513346982468591412b61e40e9dd8c9436f586977f0225_amd64", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:b5cb00fc43571269aad5ecf0a778ec139a86ee5dcea0f9ab0f9aa8359a8cd544_s390x", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:bbf970d916e70f6c355a0f46d5aebac7a40bb7a8d0f3c88e54b4c9594a148609_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e1ad747e6897f848bb678149f793381ba939580b6ea3d3e402862730e0167bbf_amd64", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:1bad76a860f3797db87162a6f5ecb62779211dff9aaefdce00cf18cff1eec04f_amd64", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:7847ed11dda4ee9dda0cc5acf4e1a2d53daee2f7eb1eeceed107d9f5f0eafdeb_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:e8d07649283ee58baee5787fb91be7306a4647ceafda8e29e34c164910af5de0_s390x", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:0512e79564b78645f9f5c9eefb81c2c22f13a1b320dbd4eb5eb25f6c66096b25_s390x", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:6239f8b5efd6839cd1dfc8f032b005cc5cefcb7a94dba9508d749cbbe7306e30_amd64", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:6cb64efe25cd6c41abe9a58176ec103a9801a8e72594396988865995cef01279_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2163037" } ], "notes": [ { "category": "description", "text": "A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document.", "title": "Vulnerability description" }, { "category": "summary", "text": "go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:1162e57874f39e1edbed8db181ec06edef1585a2f643f0121fcdd291059345d8_s390x", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:98f30bf044386bb6343a266829e40b4fdc9bd83ad4f8139d103f939b5a527b7d_amd64", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:eb9a7c5dcc7ef24a113743cbae3749830be6cf9116fffd591c8e244f47a5b3c8_ppc64le" ], "known_not_affected": [ "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:243698a0d707846209c9fbdccfc27d856c69c7fedc986244e67e15b3753c376e_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:91462e656b5eb2a043dd47730bdf143eceb9f92f14dff3ea88f6a622e8cdbc1b_amd64", "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:d14e75f35f7379306ed5c2bdde1faedf5f2a9f2ddee9e7e287e9e4a488578997_s390x", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:599d4876fdd9154183ea550dedbd29e2f62bc54ebef39f863c4e6340caa321cc_amd64", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:87ea07546cd74311850546c8a798d49c6d206b6bf40971981d6c9449aeb5399c_s390x", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:c113d9688c45115124e4b54e670ac23309214a8bbc7be45dd247e01144bada1b_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-operator-bundle@sha256:ec0dba75d110318fe1513346982468591412b61e40e9dd8c9436f586977f0225_amd64", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:b5cb00fc43571269aad5ecf0a778ec139a86ee5dcea0f9ab0f9aa8359a8cd544_s390x", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:bbf970d916e70f6c355a0f46d5aebac7a40bb7a8d0f3c88e54b4c9594a148609_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e1ad747e6897f848bb678149f793381ba939580b6ea3d3e402862730e0167bbf_amd64", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:1bad76a860f3797db87162a6f5ecb62779211dff9aaefdce00cf18cff1eec04f_amd64", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:7847ed11dda4ee9dda0cc5acf4e1a2d53daee2f7eb1eeceed107d9f5f0eafdeb_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:e8d07649283ee58baee5787fb91be7306a4647ceafda8e29e34c164910af5de0_s390x", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:0512e79564b78645f9f5c9eefb81c2c22f13a1b320dbd4eb5eb25f6c66096b25_s390x", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:6239f8b5efd6839cd1dfc8f032b005cc5cefcb7a94dba9508d749cbbe7306e30_amd64", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:6cb64efe25cd6c41abe9a58176ec103a9801a8e72594396988865995cef01279_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3064" }, { "category": "external", "summary": "RHBZ#2163037", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2163037" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3064", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3064" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3064", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3064" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-6q6q-88xp-6f2r", "url": "https://github.com/advisories/GHSA-6q6q-88xp-6f2r" }, { "category": "external", "summary": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5", "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5" }, { "category": "external", "summary": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4", "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2022-0956", "url": "https://pkg.go.dev/vuln/GO-2022-0956" } ], "release_date": "2022-08-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-17T03:46:17+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:1162e57874f39e1edbed8db181ec06edef1585a2f643f0121fcdd291059345d8_s390x", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:98f30bf044386bb6343a266829e40b4fdc9bd83ad4f8139d103f939b5a527b7d_amd64", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:eb9a7c5dcc7ef24a113743cbae3749830be6cf9116fffd591c8e244f47a5b3c8_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0803" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:1162e57874f39e1edbed8db181ec06edef1585a2f643f0121fcdd291059345d8_s390x", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:98f30bf044386bb6343a266829e40b4fdc9bd83ad4f8139d103f939b5a527b7d_amd64", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:eb9a7c5dcc7ef24a113743cbae3749830be6cf9116fffd591c8e244f47a5b3c8_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents" }, { "cve": "CVE-2023-23947", "discovery_date": "2023-02-07T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:243698a0d707846209c9fbdccfc27d856c69c7fedc986244e67e15b3753c376e_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:91462e656b5eb2a043dd47730bdf143eceb9f92f14dff3ea88f6a622e8cdbc1b_amd64", "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:d14e75f35f7379306ed5c2bdde1faedf5f2a9f2ddee9e7e287e9e4a488578997_s390x", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:599d4876fdd9154183ea550dedbd29e2f62bc54ebef39f863c4e6340caa321cc_amd64", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:87ea07546cd74311850546c8a798d49c6d206b6bf40971981d6c9449aeb5399c_s390x", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:c113d9688c45115124e4b54e670ac23309214a8bbc7be45dd247e01144bada1b_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-operator-bundle@sha256:ec0dba75d110318fe1513346982468591412b61e40e9dd8c9436f586977f0225_amd64", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:b5cb00fc43571269aad5ecf0a778ec139a86ee5dcea0f9ab0f9aa8359a8cd544_s390x", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:bbf970d916e70f6c355a0f46d5aebac7a40bb7a8d0f3c88e54b4c9594a148609_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e1ad747e6897f848bb678149f793381ba939580b6ea3d3e402862730e0167bbf_amd64", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:1bad76a860f3797db87162a6f5ecb62779211dff9aaefdce00cf18cff1eec04f_amd64", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:7847ed11dda4ee9dda0cc5acf4e1a2d53daee2f7eb1eeceed107d9f5f0eafdeb_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:e8d07649283ee58baee5787fb91be7306a4647ceafda8e29e34c164910af5de0_s390x", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:0512e79564b78645f9f5c9eefb81c2c22f13a1b320dbd4eb5eb25f6c66096b25_s390x", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:6239f8b5efd6839cd1dfc8f032b005cc5cefcb7a94dba9508d749cbbe7306e30_amd64", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:6cb64efe25cd6c41abe9a58176ec103a9801a8e72594396988865995cef01279_ppc64le" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2167819" } ], "notes": [ { "category": "description", "text": "A flaw was found in ArgoCD. An improper authorization bug may allow an attacker to update at least one cluster secret, enabling them to change any other cluster secret. The attacker must know the URL for the targeted cluster and additionally it should be authenticated within the ArgoCD API server with enough privileges to update at least one cluster. A successful attack may lead to privilege escalations or denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:1162e57874f39e1edbed8db181ec06edef1585a2f643f0121fcdd291059345d8_s390x", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:98f30bf044386bb6343a266829e40b4fdc9bd83ad4f8139d103f939b5a527b7d_amd64", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:eb9a7c5dcc7ef24a113743cbae3749830be6cf9116fffd591c8e244f47a5b3c8_ppc64le" ], "known_not_affected": [ "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:243698a0d707846209c9fbdccfc27d856c69c7fedc986244e67e15b3753c376e_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:91462e656b5eb2a043dd47730bdf143eceb9f92f14dff3ea88f6a622e8cdbc1b_amd64", "8Base-GitOps-1.7:openshift-gitops-1/console-plugin-rhel8@sha256:d14e75f35f7379306ed5c2bdde1faedf5f2a9f2ddee9e7e287e9e4a488578997_s390x", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:599d4876fdd9154183ea550dedbd29e2f62bc54ebef39f863c4e6340caa321cc_amd64", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:87ea07546cd74311850546c8a798d49c6d206b6bf40971981d6c9449aeb5399c_s390x", "8Base-GitOps-1.7:openshift-gitops-1/dex-rhel8@sha256:c113d9688c45115124e4b54e670ac23309214a8bbc7be45dd247e01144bada1b_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-operator-bundle@sha256:ec0dba75d110318fe1513346982468591412b61e40e9dd8c9436f586977f0225_amd64", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:b5cb00fc43571269aad5ecf0a778ec139a86ee5dcea0f9ab0f9aa8359a8cd544_s390x", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:bbf970d916e70f6c355a0f46d5aebac7a40bb7a8d0f3c88e54b4c9594a148609_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8-operator@sha256:e1ad747e6897f848bb678149f793381ba939580b6ea3d3e402862730e0167bbf_amd64", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:1bad76a860f3797db87162a6f5ecb62779211dff9aaefdce00cf18cff1eec04f_amd64", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:7847ed11dda4ee9dda0cc5acf4e1a2d53daee2f7eb1eeceed107d9f5f0eafdeb_ppc64le", "8Base-GitOps-1.7:openshift-gitops-1/gitops-rhel8@sha256:e8d07649283ee58baee5787fb91be7306a4647ceafda8e29e34c164910af5de0_s390x", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:0512e79564b78645f9f5c9eefb81c2c22f13a1b320dbd4eb5eb25f6c66096b25_s390x", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:6239f8b5efd6839cd1dfc8f032b005cc5cefcb7a94dba9508d749cbbe7306e30_amd64", "8Base-GitOps-1.7:openshift-gitops-1/kam-delivery-rhel8@sha256:6cb64efe25cd6c41abe9a58176ec103a9801a8e72594396988865995cef01279_ppc64le" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-23947" }, { "category": "external", "summary": "RHBZ#2167819", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2167819" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-23947", "url": "https://www.cve.org/CVERecord?id=CVE-2023-23947" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-23947", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23947" }, { "category": "external", "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j", "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j" } ], "release_date": "2023-02-16T20:51:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-17T03:46:17+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:1162e57874f39e1edbed8db181ec06edef1585a2f643f0121fcdd291059345d8_s390x", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:98f30bf044386bb6343a266829e40b4fdc9bd83ad4f8139d103f939b5a527b7d_amd64", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:eb9a7c5dcc7ef24a113743cbae3749830be6cf9116fffd591c8e244f47a5b3c8_ppc64le" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0803" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:1162e57874f39e1edbed8db181ec06edef1585a2f643f0121fcdd291059345d8_s390x", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:98f30bf044386bb6343a266829e40b4fdc9bd83ad4f8139d103f939b5a527b7d_amd64", "8Base-GitOps-1.7:openshift-gitops-1/argocd-rhel8@sha256:eb9a7c5dcc7ef24a113743cbae3749830be6cf9116fffd591c8e244f47a5b3c8_ppc64le" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets" } ] }
rhsa-2023_0802
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat OpenShift GitOps 1.6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Security Fix(es):\n\n* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238)\n\n* go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents (CVE-2022-3064)\n\n* ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets (CVE-2023-23947)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:0802", "url": "https://access.redhat.com/errata/RHSA-2023:0802" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "2156729", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156729" }, { "category": "external", "summary": "2163037", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2163037" }, { "category": "external", "summary": "2167819", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2167819" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0802.json" } ], "title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update", "tracking": { "current_release_date": "2024-11-06T02:27:14+00:00", "generator": { "date": "2024-11-06T02:27:14+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2023:0802", "initial_release_date": "2023-02-17T03:32:38+00:00", "revision_history": [ { "date": "2023-02-17T03:32:38+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-02-17T03:32:38+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T02:27:14+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift GitOps 1.6", "product": { "name": "Red Hat OpenShift GitOps 1.6", "product_id": "8Base-GitOps-1.6", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift_gitops:1.6::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift GitOps" }, { "branches": [ { "category": "product_version", "name": "openshift-gitops-1/argocd-rhel8@sha256:0c5bee99b57d4c22542b4db0bb3c0cbb8cfc2ec5aabbb558de46113595068959_ppc64le", "product": { "name": "openshift-gitops-1/argocd-rhel8@sha256:0c5bee99b57d4c22542b4db0bb3c0cbb8cfc2ec5aabbb558de46113595068959_ppc64le", "product_id": "openshift-gitops-1/argocd-rhel8@sha256:0c5bee99b57d4c22542b4db0bb3c0cbb8cfc2ec5aabbb558de46113595068959_ppc64le", "product_identification_helper": { "purl": "pkg:oci/argocd-rhel8@sha256:0c5bee99b57d4c22542b4db0bb3c0cbb8cfc2ec5aabbb558de46113595068959?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.6.5-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/gitops-rhel8@sha256:419630df6398e0a9848c15e68f6d987dfe8f95f66eefab13e590ce6609baa9bb_ppc64le", "product": { "name": "openshift-gitops-1/gitops-rhel8@sha256:419630df6398e0a9848c15e68f6d987dfe8f95f66eefab13e590ce6609baa9bb_ppc64le", "product_id": "openshift-gitops-1/gitops-rhel8@sha256:419630df6398e0a9848c15e68f6d987dfe8f95f66eefab13e590ce6609baa9bb_ppc64le", "product_identification_helper": { "purl": "pkg:oci/gitops-rhel8@sha256:419630df6398e0a9848c15e68f6d987dfe8f95f66eefab13e590ce6609baa9bb?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.6.5-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/dex-rhel8@sha256:ad6199629e6bfe375da2021a0b1e33a6777c5ec80b4cdc48d124c5ae66b41b91_ppc64le", "product": { "name": "openshift-gitops-1/dex-rhel8@sha256:ad6199629e6bfe375da2021a0b1e33a6777c5ec80b4cdc48d124c5ae66b41b91_ppc64le", "product_id": "openshift-gitops-1/dex-rhel8@sha256:ad6199629e6bfe375da2021a0b1e33a6777c5ec80b4cdc48d124c5ae66b41b91_ppc64le", "product_identification_helper": { "purl": "pkg:oci/dex-rhel8@sha256:ad6199629e6bfe375da2021a0b1e33a6777c5ec80b4cdc48d124c5ae66b41b91?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.6.5-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:561af97f31088277652ca919cd345656f0e553bbe372b4a2219e653f676b5328_ppc64le", "product": { "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:561af97f31088277652ca919cd345656f0e553bbe372b4a2219e653f676b5328_ppc64le", "product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:561af97f31088277652ca919cd345656f0e553bbe372b4a2219e653f676b5328_ppc64le", "product_identification_helper": { "purl": "pkg:oci/kam-delivery-rhel8@sha256:561af97f31088277652ca919cd345656f0e553bbe372b4a2219e653f676b5328?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.6.5-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:1341134b6a64134053ef2c4ac989669eb60642f397e0635f894f89050175c1c5_ppc64le", "product": { "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:1341134b6a64134053ef2c4ac989669eb60642f397e0635f894f89050175c1c5_ppc64le", "product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:1341134b6a64134053ef2c4ac989669eb60642f397e0635f894f89050175c1c5_ppc64le", "product_identification_helper": { "purl": "pkg:oci/gitops-rhel8-operator@sha256:1341134b6a64134053ef2c4ac989669eb60642f397e0635f894f89050175c1c5?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.6.5-5" } } } ], "category": "architecture", "name": "ppc64le" }, { "branches": [ { "category": "product_version", "name": "openshift-gitops-1/argocd-rhel8@sha256:77d3b63cebeb6a1ca940dd93a00ef2ccbca5d32b5e54ee2bbedba20f38146bc4_s390x", "product": { "name": "openshift-gitops-1/argocd-rhel8@sha256:77d3b63cebeb6a1ca940dd93a00ef2ccbca5d32b5e54ee2bbedba20f38146bc4_s390x", "product_id": "openshift-gitops-1/argocd-rhel8@sha256:77d3b63cebeb6a1ca940dd93a00ef2ccbca5d32b5e54ee2bbedba20f38146bc4_s390x", "product_identification_helper": { "purl": "pkg:oci/argocd-rhel8@sha256:77d3b63cebeb6a1ca940dd93a00ef2ccbca5d32b5e54ee2bbedba20f38146bc4?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.6.5-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/gitops-rhel8@sha256:bb006bfbf1002c21e51b27764d6a0ed8891fb1585772511ee10977deaa90b6f5_s390x", "product": { "name": "openshift-gitops-1/gitops-rhel8@sha256:bb006bfbf1002c21e51b27764d6a0ed8891fb1585772511ee10977deaa90b6f5_s390x", "product_id": "openshift-gitops-1/gitops-rhel8@sha256:bb006bfbf1002c21e51b27764d6a0ed8891fb1585772511ee10977deaa90b6f5_s390x", "product_identification_helper": { "purl": "pkg:oci/gitops-rhel8@sha256:bb006bfbf1002c21e51b27764d6a0ed8891fb1585772511ee10977deaa90b6f5?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.6.5-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/dex-rhel8@sha256:caba1edb4b29871bf13754624ce6fea8ce0fb206ff3deab74dfb1f69cdada3de_s390x", "product": { "name": "openshift-gitops-1/dex-rhel8@sha256:caba1edb4b29871bf13754624ce6fea8ce0fb206ff3deab74dfb1f69cdada3de_s390x", "product_id": "openshift-gitops-1/dex-rhel8@sha256:caba1edb4b29871bf13754624ce6fea8ce0fb206ff3deab74dfb1f69cdada3de_s390x", "product_identification_helper": { "purl": "pkg:oci/dex-rhel8@sha256:caba1edb4b29871bf13754624ce6fea8ce0fb206ff3deab74dfb1f69cdada3de?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.6.5-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:bfdc8c3bc64cbc53cc279b8567fd200154ad02f3e2070c6511955aa53fe23a5d_s390x", "product": { "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:bfdc8c3bc64cbc53cc279b8567fd200154ad02f3e2070c6511955aa53fe23a5d_s390x", "product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:bfdc8c3bc64cbc53cc279b8567fd200154ad02f3e2070c6511955aa53fe23a5d_s390x", "product_identification_helper": { "purl": "pkg:oci/kam-delivery-rhel8@sha256:bfdc8c3bc64cbc53cc279b8567fd200154ad02f3e2070c6511955aa53fe23a5d?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.6.5-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:54d2fecba7960cb6b9416ca2c7cd1d208738ae0ff8701d97279573588c383bc0_s390x", "product": { "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:54d2fecba7960cb6b9416ca2c7cd1d208738ae0ff8701d97279573588c383bc0_s390x", "product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:54d2fecba7960cb6b9416ca2c7cd1d208738ae0ff8701d97279573588c383bc0_s390x", "product_identification_helper": { "purl": "pkg:oci/gitops-rhel8-operator@sha256:54d2fecba7960cb6b9416ca2c7cd1d208738ae0ff8701d97279573588c383bc0?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.6.5-5" } } } ], "category": "architecture", "name": "s390x" }, { "branches": [ { "category": "product_version", "name": "openshift-gitops-1/argocd-rhel8@sha256:58bba66450206469ebe607691b61afc2146d96d26ffedfc6f506fde172f31674_amd64", "product": { "name": "openshift-gitops-1/argocd-rhel8@sha256:58bba66450206469ebe607691b61afc2146d96d26ffedfc6f506fde172f31674_amd64", "product_id": "openshift-gitops-1/argocd-rhel8@sha256:58bba66450206469ebe607691b61afc2146d96d26ffedfc6f506fde172f31674_amd64", "product_identification_helper": { "purl": "pkg:oci/argocd-rhel8@sha256:58bba66450206469ebe607691b61afc2146d96d26ffedfc6f506fde172f31674?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.6.5-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/gitops-rhel8@sha256:1371f75530c27f72de038581c8b5ab0c6a2a8aef034d4ba07a15c6d22d47831c_amd64", "product": { "name": "openshift-gitops-1/gitops-rhel8@sha256:1371f75530c27f72de038581c8b5ab0c6a2a8aef034d4ba07a15c6d22d47831c_amd64", "product_id": "openshift-gitops-1/gitops-rhel8@sha256:1371f75530c27f72de038581c8b5ab0c6a2a8aef034d4ba07a15c6d22d47831c_amd64", "product_identification_helper": { "purl": "pkg:oci/gitops-rhel8@sha256:1371f75530c27f72de038581c8b5ab0c6a2a8aef034d4ba07a15c6d22d47831c?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.6.5-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/dex-rhel8@sha256:f3eac8e34b1f47a4abed5942381ee7fab322fd448a7a38137b304424b6c14673_amd64", "product": { "name": "openshift-gitops-1/dex-rhel8@sha256:f3eac8e34b1f47a4abed5942381ee7fab322fd448a7a38137b304424b6c14673_amd64", "product_id": "openshift-gitops-1/dex-rhel8@sha256:f3eac8e34b1f47a4abed5942381ee7fab322fd448a7a38137b304424b6c14673_amd64", "product_identification_helper": { "purl": "pkg:oci/dex-rhel8@sha256:f3eac8e34b1f47a4abed5942381ee7fab322fd448a7a38137b304424b6c14673?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.6.5-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:c223afae61e20a596af8565937f7ae174f1de321785ab8def1fdd24f8b6d8e1d_amd64", "product": { "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:c223afae61e20a596af8565937f7ae174f1de321785ab8def1fdd24f8b6d8e1d_amd64", "product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:c223afae61e20a596af8565937f7ae174f1de321785ab8def1fdd24f8b6d8e1d_amd64", "product_identification_helper": { "purl": "pkg:oci/kam-delivery-rhel8@sha256:c223afae61e20a596af8565937f7ae174f1de321785ab8def1fdd24f8b6d8e1d?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.6.5-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/gitops-operator-bundle@sha256:eda1bdaea4ba06884aec368634a61bbb09d87403ac43fab39c4d9d1d89c5e688_amd64", "product": { "name": "openshift-gitops-1/gitops-operator-bundle@sha256:eda1bdaea4ba06884aec368634a61bbb09d87403ac43fab39c4d9d1d89c5e688_amd64", "product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:eda1bdaea4ba06884aec368634a61bbb09d87403ac43fab39c4d9d1d89c5e688_amd64", "product_identification_helper": { "purl": "pkg:oci/gitops-operator-bundle@sha256:eda1bdaea4ba06884aec368634a61bbb09d87403ac43fab39c4d9d1d89c5e688?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.6.5-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:4bf2edccb39f3c0bfd25f94f373e72b34b2ac290627acb57702668756d1a60bc_amd64", "product": { "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:4bf2edccb39f3c0bfd25f94f373e72b34b2ac290627acb57702668756d1a60bc_amd64", "product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:4bf2edccb39f3c0bfd25f94f373e72b34b2ac290627acb57702668756d1a60bc_amd64", "product_identification_helper": { "purl": "pkg:oci/gitops-rhel8-operator@sha256:4bf2edccb39f3c0bfd25f94f373e72b34b2ac290627acb57702668756d1a60bc?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.6.5-5" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/argocd-rhel8@sha256:0c5bee99b57d4c22542b4db0bb3c0cbb8cfc2ec5aabbb558de46113595068959_ppc64le as a component of Red Hat OpenShift GitOps 1.6", "product_id": "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:0c5bee99b57d4c22542b4db0bb3c0cbb8cfc2ec5aabbb558de46113595068959_ppc64le" }, "product_reference": "openshift-gitops-1/argocd-rhel8@sha256:0c5bee99b57d4c22542b4db0bb3c0cbb8cfc2ec5aabbb558de46113595068959_ppc64le", "relates_to_product_reference": "8Base-GitOps-1.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/argocd-rhel8@sha256:58bba66450206469ebe607691b61afc2146d96d26ffedfc6f506fde172f31674_amd64 as a component of Red Hat OpenShift GitOps 1.6", "product_id": "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:58bba66450206469ebe607691b61afc2146d96d26ffedfc6f506fde172f31674_amd64" }, "product_reference": "openshift-gitops-1/argocd-rhel8@sha256:58bba66450206469ebe607691b61afc2146d96d26ffedfc6f506fde172f31674_amd64", "relates_to_product_reference": "8Base-GitOps-1.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/argocd-rhel8@sha256:77d3b63cebeb6a1ca940dd93a00ef2ccbca5d32b5e54ee2bbedba20f38146bc4_s390x as a component of Red Hat OpenShift GitOps 1.6", "product_id": "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:77d3b63cebeb6a1ca940dd93a00ef2ccbca5d32b5e54ee2bbedba20f38146bc4_s390x" }, "product_reference": "openshift-gitops-1/argocd-rhel8@sha256:77d3b63cebeb6a1ca940dd93a00ef2ccbca5d32b5e54ee2bbedba20f38146bc4_s390x", "relates_to_product_reference": "8Base-GitOps-1.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/dex-rhel8@sha256:ad6199629e6bfe375da2021a0b1e33a6777c5ec80b4cdc48d124c5ae66b41b91_ppc64le as a component of Red Hat OpenShift GitOps 1.6", "product_id": "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:ad6199629e6bfe375da2021a0b1e33a6777c5ec80b4cdc48d124c5ae66b41b91_ppc64le" }, "product_reference": "openshift-gitops-1/dex-rhel8@sha256:ad6199629e6bfe375da2021a0b1e33a6777c5ec80b4cdc48d124c5ae66b41b91_ppc64le", "relates_to_product_reference": "8Base-GitOps-1.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/dex-rhel8@sha256:caba1edb4b29871bf13754624ce6fea8ce0fb206ff3deab74dfb1f69cdada3de_s390x as a component of Red Hat OpenShift GitOps 1.6", "product_id": "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:caba1edb4b29871bf13754624ce6fea8ce0fb206ff3deab74dfb1f69cdada3de_s390x" }, "product_reference": "openshift-gitops-1/dex-rhel8@sha256:caba1edb4b29871bf13754624ce6fea8ce0fb206ff3deab74dfb1f69cdada3de_s390x", "relates_to_product_reference": "8Base-GitOps-1.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/dex-rhel8@sha256:f3eac8e34b1f47a4abed5942381ee7fab322fd448a7a38137b304424b6c14673_amd64 as a component of Red Hat OpenShift GitOps 1.6", "product_id": "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:f3eac8e34b1f47a4abed5942381ee7fab322fd448a7a38137b304424b6c14673_amd64" }, "product_reference": "openshift-gitops-1/dex-rhel8@sha256:f3eac8e34b1f47a4abed5942381ee7fab322fd448a7a38137b304424b6c14673_amd64", "relates_to_product_reference": "8Base-GitOps-1.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/gitops-operator-bundle@sha256:eda1bdaea4ba06884aec368634a61bbb09d87403ac43fab39c4d9d1d89c5e688_amd64 as a component of Red Hat OpenShift GitOps 1.6", "product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-operator-bundle@sha256:eda1bdaea4ba06884aec368634a61bbb09d87403ac43fab39c4d9d1d89c5e688_amd64" }, "product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:eda1bdaea4ba06884aec368634a61bbb09d87403ac43fab39c4d9d1d89c5e688_amd64", "relates_to_product_reference": "8Base-GitOps-1.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:1341134b6a64134053ef2c4ac989669eb60642f397e0635f894f89050175c1c5_ppc64le as a component of Red Hat OpenShift GitOps 1.6", "product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:1341134b6a64134053ef2c4ac989669eb60642f397e0635f894f89050175c1c5_ppc64le" }, "product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:1341134b6a64134053ef2c4ac989669eb60642f397e0635f894f89050175c1c5_ppc64le", "relates_to_product_reference": "8Base-GitOps-1.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:4bf2edccb39f3c0bfd25f94f373e72b34b2ac290627acb57702668756d1a60bc_amd64 as a component of Red Hat OpenShift GitOps 1.6", "product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:4bf2edccb39f3c0bfd25f94f373e72b34b2ac290627acb57702668756d1a60bc_amd64" }, "product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:4bf2edccb39f3c0bfd25f94f373e72b34b2ac290627acb57702668756d1a60bc_amd64", "relates_to_product_reference": "8Base-GitOps-1.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:54d2fecba7960cb6b9416ca2c7cd1d208738ae0ff8701d97279573588c383bc0_s390x as a component of Red Hat OpenShift GitOps 1.6", "product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:54d2fecba7960cb6b9416ca2c7cd1d208738ae0ff8701d97279573588c383bc0_s390x" }, "product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:54d2fecba7960cb6b9416ca2c7cd1d208738ae0ff8701d97279573588c383bc0_s390x", "relates_to_product_reference": "8Base-GitOps-1.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/gitops-rhel8@sha256:1371f75530c27f72de038581c8b5ab0c6a2a8aef034d4ba07a15c6d22d47831c_amd64 as a component of Red Hat OpenShift GitOps 1.6", "product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:1371f75530c27f72de038581c8b5ab0c6a2a8aef034d4ba07a15c6d22d47831c_amd64" }, "product_reference": "openshift-gitops-1/gitops-rhel8@sha256:1371f75530c27f72de038581c8b5ab0c6a2a8aef034d4ba07a15c6d22d47831c_amd64", "relates_to_product_reference": "8Base-GitOps-1.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/gitops-rhel8@sha256:419630df6398e0a9848c15e68f6d987dfe8f95f66eefab13e590ce6609baa9bb_ppc64le as a component of Red Hat OpenShift GitOps 1.6", "product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:419630df6398e0a9848c15e68f6d987dfe8f95f66eefab13e590ce6609baa9bb_ppc64le" }, "product_reference": "openshift-gitops-1/gitops-rhel8@sha256:419630df6398e0a9848c15e68f6d987dfe8f95f66eefab13e590ce6609baa9bb_ppc64le", "relates_to_product_reference": "8Base-GitOps-1.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/gitops-rhel8@sha256:bb006bfbf1002c21e51b27764d6a0ed8891fb1585772511ee10977deaa90b6f5_s390x as a component of Red Hat OpenShift GitOps 1.6", "product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:bb006bfbf1002c21e51b27764d6a0ed8891fb1585772511ee10977deaa90b6f5_s390x" }, "product_reference": "openshift-gitops-1/gitops-rhel8@sha256:bb006bfbf1002c21e51b27764d6a0ed8891fb1585772511ee10977deaa90b6f5_s390x", "relates_to_product_reference": "8Base-GitOps-1.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:561af97f31088277652ca919cd345656f0e553bbe372b4a2219e653f676b5328_ppc64le as a component of Red Hat OpenShift GitOps 1.6", "product_id": "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:561af97f31088277652ca919cd345656f0e553bbe372b4a2219e653f676b5328_ppc64le" }, "product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:561af97f31088277652ca919cd345656f0e553bbe372b4a2219e653f676b5328_ppc64le", "relates_to_product_reference": "8Base-GitOps-1.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:bfdc8c3bc64cbc53cc279b8567fd200154ad02f3e2070c6511955aa53fe23a5d_s390x as a component of Red Hat OpenShift GitOps 1.6", "product_id": "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:bfdc8c3bc64cbc53cc279b8567fd200154ad02f3e2070c6511955aa53fe23a5d_s390x" }, "product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:bfdc8c3bc64cbc53cc279b8567fd200154ad02f3e2070c6511955aa53fe23a5d_s390x", "relates_to_product_reference": "8Base-GitOps-1.6" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:c223afae61e20a596af8565937f7ae174f1de321785ab8def1fdd24f8b6d8e1d_amd64 as a component of Red Hat OpenShift GitOps 1.6", "product_id": "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:c223afae61e20a596af8565937f7ae174f1de321785ab8def1fdd24f8b6d8e1d_amd64" }, "product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:c223afae61e20a596af8565937f7ae174f1de321785ab8def1fdd24f8b6d8e1d_amd64", "relates_to_product_reference": "8Base-GitOps-1.6" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4238", "cwe": { "id": "CWE-331", "name": "Insufficient Entropy" }, "discovery_date": "2022-12-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-GitOps-1.6:openshift-gitops-1/gitops-operator-bundle@sha256:eda1bdaea4ba06884aec368634a61bbb09d87403ac43fab39c4d9d1d89c5e688_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:1371f75530c27f72de038581c8b5ab0c6a2a8aef034d4ba07a15c6d22d47831c_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:419630df6398e0a9848c15e68f6d987dfe8f95f66eefab13e590ce6609baa9bb_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:bb006bfbf1002c21e51b27764d6a0ed8891fb1585772511ee10977deaa90b6f5_s390x" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2156729" } ], "notes": [ { "category": "description", "text": "A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issue significantly reduces the amount of entropy generated in short strings by these functions.", "title": "Vulnerability description" }, { "category": "summary", "text": "goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:0c5bee99b57d4c22542b4db0bb3c0cbb8cfc2ec5aabbb558de46113595068959_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:58bba66450206469ebe607691b61afc2146d96d26ffedfc6f506fde172f31674_amd64", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:77d3b63cebeb6a1ca940dd93a00ef2ccbca5d32b5e54ee2bbedba20f38146bc4_s390x", "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:ad6199629e6bfe375da2021a0b1e33a6777c5ec80b4cdc48d124c5ae66b41b91_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:caba1edb4b29871bf13754624ce6fea8ce0fb206ff3deab74dfb1f69cdada3de_s390x", "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:f3eac8e34b1f47a4abed5942381ee7fab322fd448a7a38137b304424b6c14673_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:1341134b6a64134053ef2c4ac989669eb60642f397e0635f894f89050175c1c5_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:4bf2edccb39f3c0bfd25f94f373e72b34b2ac290627acb57702668756d1a60bc_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:54d2fecba7960cb6b9416ca2c7cd1d208738ae0ff8701d97279573588c383bc0_s390x", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:561af97f31088277652ca919cd345656f0e553bbe372b4a2219e653f676b5328_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:bfdc8c3bc64cbc53cc279b8567fd200154ad02f3e2070c6511955aa53fe23a5d_s390x", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:c223afae61e20a596af8565937f7ae174f1de321785ab8def1fdd24f8b6d8e1d_amd64" ], "known_not_affected": [ "8Base-GitOps-1.6:openshift-gitops-1/gitops-operator-bundle@sha256:eda1bdaea4ba06884aec368634a61bbb09d87403ac43fab39c4d9d1d89c5e688_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:1371f75530c27f72de038581c8b5ab0c6a2a8aef034d4ba07a15c6d22d47831c_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:419630df6398e0a9848c15e68f6d987dfe8f95f66eefab13e590ce6609baa9bb_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:bb006bfbf1002c21e51b27764d6a0ed8891fb1585772511ee10977deaa90b6f5_s390x" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4238" }, { "category": "external", "summary": "RHBZ#2156729", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156729" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4238", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4238" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4238", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4238" }, { "category": "external", "summary": "https://github.com/Masterminds/goutils/commit/869801f20f9f1e7ecdbdb6422049d8241270d5e1", "url": "https://github.com/Masterminds/goutils/commit/869801f20f9f1e7ecdbdb6422049d8241270d5e1" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-3839-6r69-m497", "url": "https://github.com/advisories/GHSA-3839-6r69-m497" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2022-0411", "url": "https://pkg.go.dev/vuln/GO-2022-0411" } ], "release_date": "2022-12-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-17T03:32:38+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:0c5bee99b57d4c22542b4db0bb3c0cbb8cfc2ec5aabbb558de46113595068959_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:58bba66450206469ebe607691b61afc2146d96d26ffedfc6f506fde172f31674_amd64", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:77d3b63cebeb6a1ca940dd93a00ef2ccbca5d32b5e54ee2bbedba20f38146bc4_s390x", "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:ad6199629e6bfe375da2021a0b1e33a6777c5ec80b4cdc48d124c5ae66b41b91_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:caba1edb4b29871bf13754624ce6fea8ce0fb206ff3deab74dfb1f69cdada3de_s390x", "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:f3eac8e34b1f47a4abed5942381ee7fab322fd448a7a38137b304424b6c14673_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:1341134b6a64134053ef2c4ac989669eb60642f397e0635f894f89050175c1c5_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:4bf2edccb39f3c0bfd25f94f373e72b34b2ac290627acb57702668756d1a60bc_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:54d2fecba7960cb6b9416ca2c7cd1d208738ae0ff8701d97279573588c383bc0_s390x", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:561af97f31088277652ca919cd345656f0e553bbe372b4a2219e653f676b5328_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:bfdc8c3bc64cbc53cc279b8567fd200154ad02f3e2070c6511955aa53fe23a5d_s390x", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:c223afae61e20a596af8565937f7ae174f1de321785ab8def1fdd24f8b6d8e1d_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0802" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1" }, "products": [ "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:0c5bee99b57d4c22542b4db0bb3c0cbb8cfc2ec5aabbb558de46113595068959_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:58bba66450206469ebe607691b61afc2146d96d26ffedfc6f506fde172f31674_amd64", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:77d3b63cebeb6a1ca940dd93a00ef2ccbca5d32b5e54ee2bbedba20f38146bc4_s390x", "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:ad6199629e6bfe375da2021a0b1e33a6777c5ec80b4cdc48d124c5ae66b41b91_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:caba1edb4b29871bf13754624ce6fea8ce0fb206ff3deab74dfb1f69cdada3de_s390x", "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:f3eac8e34b1f47a4abed5942381ee7fab322fd448a7a38137b304424b6c14673_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:1341134b6a64134053ef2c4ac989669eb60642f397e0635f894f89050175c1c5_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:4bf2edccb39f3c0bfd25f94f373e72b34b2ac290627acb57702668756d1a60bc_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:54d2fecba7960cb6b9416ca2c7cd1d208738ae0ff8701d97279573588c383bc0_s390x", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:561af97f31088277652ca919cd345656f0e553bbe372b4a2219e653f676b5328_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:bfdc8c3bc64cbc53cc279b8567fd200154ad02f3e2070c6511955aa53fe23a5d_s390x", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:c223afae61e20a596af8565937f7ae174f1de321785ab8def1fdd24f8b6d8e1d_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be" }, { "cve": "CVE-2022-3064", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-01-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:ad6199629e6bfe375da2021a0b1e33a6777c5ec80b4cdc48d124c5ae66b41b91_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:caba1edb4b29871bf13754624ce6fea8ce0fb206ff3deab74dfb1f69cdada3de_s390x", "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:f3eac8e34b1f47a4abed5942381ee7fab322fd448a7a38137b304424b6c14673_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-operator-bundle@sha256:eda1bdaea4ba06884aec368634a61bbb09d87403ac43fab39c4d9d1d89c5e688_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:1341134b6a64134053ef2c4ac989669eb60642f397e0635f894f89050175c1c5_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:4bf2edccb39f3c0bfd25f94f373e72b34b2ac290627acb57702668756d1a60bc_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:54d2fecba7960cb6b9416ca2c7cd1d208738ae0ff8701d97279573588c383bc0_s390x", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:1371f75530c27f72de038581c8b5ab0c6a2a8aef034d4ba07a15c6d22d47831c_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:419630df6398e0a9848c15e68f6d987dfe8f95f66eefab13e590ce6609baa9bb_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:bb006bfbf1002c21e51b27764d6a0ed8891fb1585772511ee10977deaa90b6f5_s390x", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:561af97f31088277652ca919cd345656f0e553bbe372b4a2219e653f676b5328_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:bfdc8c3bc64cbc53cc279b8567fd200154ad02f3e2070c6511955aa53fe23a5d_s390x", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:c223afae61e20a596af8565937f7ae174f1de321785ab8def1fdd24f8b6d8e1d_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2163037" } ], "notes": [ { "category": "description", "text": "A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document.", "title": "Vulnerability description" }, { "category": "summary", "text": "go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:0c5bee99b57d4c22542b4db0bb3c0cbb8cfc2ec5aabbb558de46113595068959_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:58bba66450206469ebe607691b61afc2146d96d26ffedfc6f506fde172f31674_amd64", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:77d3b63cebeb6a1ca940dd93a00ef2ccbca5d32b5e54ee2bbedba20f38146bc4_s390x" ], "known_not_affected": [ "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:ad6199629e6bfe375da2021a0b1e33a6777c5ec80b4cdc48d124c5ae66b41b91_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:caba1edb4b29871bf13754624ce6fea8ce0fb206ff3deab74dfb1f69cdada3de_s390x", "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:f3eac8e34b1f47a4abed5942381ee7fab322fd448a7a38137b304424b6c14673_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-operator-bundle@sha256:eda1bdaea4ba06884aec368634a61bbb09d87403ac43fab39c4d9d1d89c5e688_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:1341134b6a64134053ef2c4ac989669eb60642f397e0635f894f89050175c1c5_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:4bf2edccb39f3c0bfd25f94f373e72b34b2ac290627acb57702668756d1a60bc_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:54d2fecba7960cb6b9416ca2c7cd1d208738ae0ff8701d97279573588c383bc0_s390x", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:1371f75530c27f72de038581c8b5ab0c6a2a8aef034d4ba07a15c6d22d47831c_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:419630df6398e0a9848c15e68f6d987dfe8f95f66eefab13e590ce6609baa9bb_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:bb006bfbf1002c21e51b27764d6a0ed8891fb1585772511ee10977deaa90b6f5_s390x", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:561af97f31088277652ca919cd345656f0e553bbe372b4a2219e653f676b5328_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:bfdc8c3bc64cbc53cc279b8567fd200154ad02f3e2070c6511955aa53fe23a5d_s390x", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:c223afae61e20a596af8565937f7ae174f1de321785ab8def1fdd24f8b6d8e1d_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3064" }, { "category": "external", "summary": "RHBZ#2163037", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2163037" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3064", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3064" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3064", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3064" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-6q6q-88xp-6f2r", "url": "https://github.com/advisories/GHSA-6q6q-88xp-6f2r" }, { "category": "external", "summary": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5", "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5" }, { "category": "external", "summary": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4", "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2022-0956", "url": "https://pkg.go.dev/vuln/GO-2022-0956" } ], "release_date": "2022-08-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-17T03:32:38+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:0c5bee99b57d4c22542b4db0bb3c0cbb8cfc2ec5aabbb558de46113595068959_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:58bba66450206469ebe607691b61afc2146d96d26ffedfc6f506fde172f31674_amd64", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:77d3b63cebeb6a1ca940dd93a00ef2ccbca5d32b5e54ee2bbedba20f38146bc4_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0802" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:0c5bee99b57d4c22542b4db0bb3c0cbb8cfc2ec5aabbb558de46113595068959_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:58bba66450206469ebe607691b61afc2146d96d26ffedfc6f506fde172f31674_amd64", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:77d3b63cebeb6a1ca940dd93a00ef2ccbca5d32b5e54ee2bbedba20f38146bc4_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents" }, { "cve": "CVE-2023-23947", "discovery_date": "2023-02-07T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:ad6199629e6bfe375da2021a0b1e33a6777c5ec80b4cdc48d124c5ae66b41b91_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:caba1edb4b29871bf13754624ce6fea8ce0fb206ff3deab74dfb1f69cdada3de_s390x", "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:f3eac8e34b1f47a4abed5942381ee7fab322fd448a7a38137b304424b6c14673_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-operator-bundle@sha256:eda1bdaea4ba06884aec368634a61bbb09d87403ac43fab39c4d9d1d89c5e688_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:1341134b6a64134053ef2c4ac989669eb60642f397e0635f894f89050175c1c5_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:4bf2edccb39f3c0bfd25f94f373e72b34b2ac290627acb57702668756d1a60bc_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:54d2fecba7960cb6b9416ca2c7cd1d208738ae0ff8701d97279573588c383bc0_s390x", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:1371f75530c27f72de038581c8b5ab0c6a2a8aef034d4ba07a15c6d22d47831c_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:419630df6398e0a9848c15e68f6d987dfe8f95f66eefab13e590ce6609baa9bb_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:bb006bfbf1002c21e51b27764d6a0ed8891fb1585772511ee10977deaa90b6f5_s390x", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:561af97f31088277652ca919cd345656f0e553bbe372b4a2219e653f676b5328_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:bfdc8c3bc64cbc53cc279b8567fd200154ad02f3e2070c6511955aa53fe23a5d_s390x", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:c223afae61e20a596af8565937f7ae174f1de321785ab8def1fdd24f8b6d8e1d_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2167819" } ], "notes": [ { "category": "description", "text": "A flaw was found in ArgoCD. An improper authorization bug may allow an attacker to update at least one cluster secret, enabling them to change any other cluster secret. The attacker must know the URL for the targeted cluster and additionally it should be authenticated within the ArgoCD API server with enough privileges to update at least one cluster. A successful attack may lead to privilege escalations or denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:0c5bee99b57d4c22542b4db0bb3c0cbb8cfc2ec5aabbb558de46113595068959_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:58bba66450206469ebe607691b61afc2146d96d26ffedfc6f506fde172f31674_amd64", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:77d3b63cebeb6a1ca940dd93a00ef2ccbca5d32b5e54ee2bbedba20f38146bc4_s390x" ], "known_not_affected": [ "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:ad6199629e6bfe375da2021a0b1e33a6777c5ec80b4cdc48d124c5ae66b41b91_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:caba1edb4b29871bf13754624ce6fea8ce0fb206ff3deab74dfb1f69cdada3de_s390x", "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:f3eac8e34b1f47a4abed5942381ee7fab322fd448a7a38137b304424b6c14673_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-operator-bundle@sha256:eda1bdaea4ba06884aec368634a61bbb09d87403ac43fab39c4d9d1d89c5e688_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:1341134b6a64134053ef2c4ac989669eb60642f397e0635f894f89050175c1c5_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:4bf2edccb39f3c0bfd25f94f373e72b34b2ac290627acb57702668756d1a60bc_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:54d2fecba7960cb6b9416ca2c7cd1d208738ae0ff8701d97279573588c383bc0_s390x", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:1371f75530c27f72de038581c8b5ab0c6a2a8aef034d4ba07a15c6d22d47831c_amd64", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:419630df6398e0a9848c15e68f6d987dfe8f95f66eefab13e590ce6609baa9bb_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:bb006bfbf1002c21e51b27764d6a0ed8891fb1585772511ee10977deaa90b6f5_s390x", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:561af97f31088277652ca919cd345656f0e553bbe372b4a2219e653f676b5328_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:bfdc8c3bc64cbc53cc279b8567fd200154ad02f3e2070c6511955aa53fe23a5d_s390x", "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:c223afae61e20a596af8565937f7ae174f1de321785ab8def1fdd24f8b6d8e1d_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-23947" }, { "category": "external", "summary": "RHBZ#2167819", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2167819" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-23947", "url": "https://www.cve.org/CVERecord?id=CVE-2023-23947" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-23947", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23947" }, { "category": "external", "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j", "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j" } ], "release_date": "2023-02-16T20:51:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-17T03:32:38+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:0c5bee99b57d4c22542b4db0bb3c0cbb8cfc2ec5aabbb558de46113595068959_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:58bba66450206469ebe607691b61afc2146d96d26ffedfc6f506fde172f31674_amd64", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:77d3b63cebeb6a1ca940dd93a00ef2ccbca5d32b5e54ee2bbedba20f38146bc4_s390x" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0802" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:0c5bee99b57d4c22542b4db0bb3c0cbb8cfc2ec5aabbb558de46113595068959_ppc64le", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:58bba66450206469ebe607691b61afc2146d96d26ffedfc6f506fde172f31674_amd64", "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:77d3b63cebeb6a1ca940dd93a00ef2ccbca5d32b5e54ee2bbedba20f38146bc4_s390x" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets" } ] }
rhsa-2023_0804
Vulnerability from csaf_redhat
Notes
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "An update is now available for Red Hat OpenShift GitOps 1.5.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Security Fix(es):\n\n* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238)\n\n* go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents (CVE-2022-3064)\n\n* ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets (CVE-2023-23947)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2023:0804", "url": "https://access.redhat.com/errata/RHSA-2023:0804" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "2156729", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156729" }, { "category": "external", "summary": "2163037", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2163037" }, { "category": "external", "summary": "2167819", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2167819" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_0804.json" } ], "title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update", "tracking": { "current_release_date": "2024-11-06T02:27:26+00:00", "generator": { "date": "2024-11-06T02:27:26+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2023:0804", "initial_release_date": "2023-02-17T04:12:08+00:00", "revision_history": [ { "date": "2023-02-17T04:12:08+00:00", "number": "1", "summary": "Initial version" }, { "date": "2023-02-17T04:12:08+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-06T02:27:26+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat OpenShift GitOps 1.5", "product": { "name": "Red Hat OpenShift GitOps 1.5", "product_id": "8Base-GitOps-1.5", "product_identification_helper": { "cpe": "cpe:/a:redhat:openshift_gitops:1.5::el8" } } } ], "category": "product_family", "name": "Red Hat OpenShift GitOps" }, { "branches": [ { "category": "product_version", "name": "openshift-gitops-1/applicationset-rhel8@sha256:5869b9bb375b249851b6a24147fda4aea656e7f831ddae21236b4dc3be1fd8a9_amd64", "product": { "name": "openshift-gitops-1/applicationset-rhel8@sha256:5869b9bb375b249851b6a24147fda4aea656e7f831ddae21236b4dc3be1fd8a9_amd64", "product_id": "openshift-gitops-1/applicationset-rhel8@sha256:5869b9bb375b249851b6a24147fda4aea656e7f831ddae21236b4dc3be1fd8a9_amd64", "product_identification_helper": { "purl": "pkg:oci/applicationset-rhel8@sha256:5869b9bb375b249851b6a24147fda4aea656e7f831ddae21236b4dc3be1fd8a9?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/applicationset-rhel8\u0026tag=v1.5.10-6" } } }, { "category": "product_version", "name": "openshift-gitops-1/argocd-rhel8@sha256:100795f5d8f6d7add9428e1b4838b67b59db14b0fae7372ab16c6871d4ddb32e_amd64", "product": { "name": "openshift-gitops-1/argocd-rhel8@sha256:100795f5d8f6d7add9428e1b4838b67b59db14b0fae7372ab16c6871d4ddb32e_amd64", "product_id": "openshift-gitops-1/argocd-rhel8@sha256:100795f5d8f6d7add9428e1b4838b67b59db14b0fae7372ab16c6871d4ddb32e_amd64", "product_identification_helper": { "purl": "pkg:oci/argocd-rhel8@sha256:100795f5d8f6d7add9428e1b4838b67b59db14b0fae7372ab16c6871d4ddb32e?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.5.10-6" } } }, { "category": "product_version", "name": "openshift-gitops-1/gitops-rhel8@sha256:dee762e15417ae9e9ea17b357de03a56f46ab1f1e246c96411e4a97f4ee5ac8c_amd64", "product": { "name": "openshift-gitops-1/gitops-rhel8@sha256:dee762e15417ae9e9ea17b357de03a56f46ab1f1e246c96411e4a97f4ee5ac8c_amd64", "product_id": "openshift-gitops-1/gitops-rhel8@sha256:dee762e15417ae9e9ea17b357de03a56f46ab1f1e246c96411e4a97f4ee5ac8c_amd64", "product_identification_helper": { "purl": "pkg:oci/gitops-rhel8@sha256:dee762e15417ae9e9ea17b357de03a56f46ab1f1e246c96411e4a97f4ee5ac8c?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.5.10-6" } } }, { "category": "product_version", "name": "openshift-gitops-1/dex-rhel8@sha256:2dc9a23e5d386eb265c4387d7e601d06805d2af24f93882bf7eb9724fd98da66_amd64", "product": { "name": "openshift-gitops-1/dex-rhel8@sha256:2dc9a23e5d386eb265c4387d7e601d06805d2af24f93882bf7eb9724fd98da66_amd64", "product_id": "openshift-gitops-1/dex-rhel8@sha256:2dc9a23e5d386eb265c4387d7e601d06805d2af24f93882bf7eb9724fd98da66_amd64", "product_identification_helper": { "purl": "pkg:oci/dex-rhel8@sha256:2dc9a23e5d386eb265c4387d7e601d06805d2af24f93882bf7eb9724fd98da66?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.5.10-6" } } }, { "category": "product_version", "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:3e8aefa1c162233b85e03f981e8b4d97bf6dcdd89e5e94648a3a6042f0443797_amd64", "product": { "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:3e8aefa1c162233b85e03f981e8b4d97bf6dcdd89e5e94648a3a6042f0443797_amd64", "product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:3e8aefa1c162233b85e03f981e8b4d97bf6dcdd89e5e94648a3a6042f0443797_amd64", "product_identification_helper": { "purl": "pkg:oci/kam-delivery-rhel8@sha256:3e8aefa1c162233b85e03f981e8b4d97bf6dcdd89e5e94648a3a6042f0443797?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.5.10-6" } } }, { "category": "product_version", "name": "openshift-gitops-1/gitops-operator-bundle@sha256:4760018938bf0f42306f6b38e88914e5bba0cd04722bea589978f6f7066d77af_amd64", "product": { "name": "openshift-gitops-1/gitops-operator-bundle@sha256:4760018938bf0f42306f6b38e88914e5bba0cd04722bea589978f6f7066d77af_amd64", "product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:4760018938bf0f42306f6b38e88914e5bba0cd04722bea589978f6f7066d77af_amd64", "product_identification_helper": { "purl": "pkg:oci/gitops-operator-bundle@sha256:4760018938bf0f42306f6b38e88914e5bba0cd04722bea589978f6f7066d77af?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.5.10-5" } } }, { "category": "product_version", "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e0405b30d399aaf0e37889c857acbb7535535a983ce4f93fe039a2d45d08c906_amd64", "product": { "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e0405b30d399aaf0e37889c857acbb7535535a983ce4f93fe039a2d45d08c906_amd64", "product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:e0405b30d399aaf0e37889c857acbb7535535a983ce4f93fe039a2d45d08c906_amd64", "product_identification_helper": { "purl": "pkg:oci/gitops-rhel8-operator@sha256:e0405b30d399aaf0e37889c857acbb7535535a983ce4f93fe039a2d45d08c906?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.5.10-6" } } } ], "category": "architecture", "name": "amd64" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/applicationset-rhel8@sha256:5869b9bb375b249851b6a24147fda4aea656e7f831ddae21236b4dc3be1fd8a9_amd64 as a component of Red Hat OpenShift GitOps 1.5", "product_id": "8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:5869b9bb375b249851b6a24147fda4aea656e7f831ddae21236b4dc3be1fd8a9_amd64" }, "product_reference": "openshift-gitops-1/applicationset-rhel8@sha256:5869b9bb375b249851b6a24147fda4aea656e7f831ddae21236b4dc3be1fd8a9_amd64", "relates_to_product_reference": "8Base-GitOps-1.5" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/argocd-rhel8@sha256:100795f5d8f6d7add9428e1b4838b67b59db14b0fae7372ab16c6871d4ddb32e_amd64 as a component of Red Hat OpenShift GitOps 1.5", "product_id": "8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:100795f5d8f6d7add9428e1b4838b67b59db14b0fae7372ab16c6871d4ddb32e_amd64" }, "product_reference": "openshift-gitops-1/argocd-rhel8@sha256:100795f5d8f6d7add9428e1b4838b67b59db14b0fae7372ab16c6871d4ddb32e_amd64", "relates_to_product_reference": "8Base-GitOps-1.5" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/dex-rhel8@sha256:2dc9a23e5d386eb265c4387d7e601d06805d2af24f93882bf7eb9724fd98da66_amd64 as a component of Red Hat OpenShift GitOps 1.5", "product_id": "8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:2dc9a23e5d386eb265c4387d7e601d06805d2af24f93882bf7eb9724fd98da66_amd64" }, "product_reference": "openshift-gitops-1/dex-rhel8@sha256:2dc9a23e5d386eb265c4387d7e601d06805d2af24f93882bf7eb9724fd98da66_amd64", "relates_to_product_reference": "8Base-GitOps-1.5" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/gitops-operator-bundle@sha256:4760018938bf0f42306f6b38e88914e5bba0cd04722bea589978f6f7066d77af_amd64 as a component of Red Hat OpenShift GitOps 1.5", "product_id": "8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:4760018938bf0f42306f6b38e88914e5bba0cd04722bea589978f6f7066d77af_amd64" }, "product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:4760018938bf0f42306f6b38e88914e5bba0cd04722bea589978f6f7066d77af_amd64", "relates_to_product_reference": "8Base-GitOps-1.5" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:e0405b30d399aaf0e37889c857acbb7535535a983ce4f93fe039a2d45d08c906_amd64 as a component of Red Hat OpenShift GitOps 1.5", "product_id": "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e0405b30d399aaf0e37889c857acbb7535535a983ce4f93fe039a2d45d08c906_amd64" }, "product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:e0405b30d399aaf0e37889c857acbb7535535a983ce4f93fe039a2d45d08c906_amd64", "relates_to_product_reference": "8Base-GitOps-1.5" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/gitops-rhel8@sha256:dee762e15417ae9e9ea17b357de03a56f46ab1f1e246c96411e4a97f4ee5ac8c_amd64 as a component of Red Hat OpenShift GitOps 1.5", "product_id": "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:dee762e15417ae9e9ea17b357de03a56f46ab1f1e246c96411e4a97f4ee5ac8c_amd64" }, "product_reference": "openshift-gitops-1/gitops-rhel8@sha256:dee762e15417ae9e9ea17b357de03a56f46ab1f1e246c96411e4a97f4ee5ac8c_amd64", "relates_to_product_reference": "8Base-GitOps-1.5" }, { "category": "default_component_of", "full_product_name": { "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:3e8aefa1c162233b85e03f981e8b4d97bf6dcdd89e5e94648a3a6042f0443797_amd64 as a component of Red Hat OpenShift GitOps 1.5", "product_id": "8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:3e8aefa1c162233b85e03f981e8b4d97bf6dcdd89e5e94648a3a6042f0443797_amd64" }, "product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:3e8aefa1c162233b85e03f981e8b4d97bf6dcdd89e5e94648a3a6042f0443797_amd64", "relates_to_product_reference": "8Base-GitOps-1.5" } ] }, "vulnerabilities": [ { "cve": "CVE-2021-4238", "cwe": { "id": "CWE-331", "name": "Insufficient Entropy" }, "discovery_date": "2022-12-28T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:4760018938bf0f42306f6b38e88914e5bba0cd04722bea589978f6f7066d77af_amd64", "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:dee762e15417ae9e9ea17b357de03a56f46ab1f1e246c96411e4a97f4ee5ac8c_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2156729" } ], "notes": [ { "category": "description", "text": "A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issue significantly reduces the amount of entropy generated in short strings by these functions.", "title": "Vulnerability description" }, { "category": "summary", "text": "goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:5869b9bb375b249851b6a24147fda4aea656e7f831ddae21236b4dc3be1fd8a9_amd64", "8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:100795f5d8f6d7add9428e1b4838b67b59db14b0fae7372ab16c6871d4ddb32e_amd64", "8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:2dc9a23e5d386eb265c4387d7e601d06805d2af24f93882bf7eb9724fd98da66_amd64", "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e0405b30d399aaf0e37889c857acbb7535535a983ce4f93fe039a2d45d08c906_amd64", "8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:3e8aefa1c162233b85e03f981e8b4d97bf6dcdd89e5e94648a3a6042f0443797_amd64" ], "known_not_affected": [ "8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:4760018938bf0f42306f6b38e88914e5bba0cd04722bea589978f6f7066d77af_amd64", "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:dee762e15417ae9e9ea17b357de03a56f46ab1f1e246c96411e4a97f4ee5ac8c_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-4238" }, { "category": "external", "summary": "RHBZ#2156729", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2156729" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-4238", "url": "https://www.cve.org/CVERecord?id=CVE-2021-4238" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-4238", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4238" }, { "category": "external", "summary": "https://github.com/Masterminds/goutils/commit/869801f20f9f1e7ecdbdb6422049d8241270d5e1", "url": "https://github.com/Masterminds/goutils/commit/869801f20f9f1e7ecdbdb6422049d8241270d5e1" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-3839-6r69-m497", "url": "https://github.com/advisories/GHSA-3839-6r69-m497" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2022-0411", "url": "https://pkg.go.dev/vuln/GO-2022-0411" } ], "release_date": "2022-12-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-17T04:12:08+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:5869b9bb375b249851b6a24147fda4aea656e7f831ddae21236b4dc3be1fd8a9_amd64", "8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:100795f5d8f6d7add9428e1b4838b67b59db14b0fae7372ab16c6871d4ddb32e_amd64", "8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:2dc9a23e5d386eb265c4387d7e601d06805d2af24f93882bf7eb9724fd98da66_amd64", "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e0405b30d399aaf0e37889c857acbb7535535a983ce4f93fe039a2d45d08c906_amd64", "8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:3e8aefa1c162233b85e03f981e8b4d97bf6dcdd89e5e94648a3a6042f0443797_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0804" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1" }, "products": [ "8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:5869b9bb375b249851b6a24147fda4aea656e7f831ddae21236b4dc3be1fd8a9_amd64", "8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:100795f5d8f6d7add9428e1b4838b67b59db14b0fae7372ab16c6871d4ddb32e_amd64", "8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:2dc9a23e5d386eb265c4387d7e601d06805d2af24f93882bf7eb9724fd98da66_amd64", "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e0405b30d399aaf0e37889c857acbb7535535a983ce4f93fe039a2d45d08c906_amd64", "8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:3e8aefa1c162233b85e03f981e8b4d97bf6dcdd89e5e94648a3a6042f0443797_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be" }, { "cve": "CVE-2022-3064", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2023-01-23T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:5869b9bb375b249851b6a24147fda4aea656e7f831ddae21236b4dc3be1fd8a9_amd64", "8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:2dc9a23e5d386eb265c4387d7e601d06805d2af24f93882bf7eb9724fd98da66_amd64", "8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:4760018938bf0f42306f6b38e88914e5bba0cd04722bea589978f6f7066d77af_amd64", "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e0405b30d399aaf0e37889c857acbb7535535a983ce4f93fe039a2d45d08c906_amd64", "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:dee762e15417ae9e9ea17b357de03a56f46ab1f1e246c96411e4a97f4ee5ac8c_amd64", "8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:3e8aefa1c162233b85e03f981e8b4d97bf6dcdd89e5e94648a3a6042f0443797_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2163037" } ], "notes": [ { "category": "description", "text": "A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document.", "title": "Vulnerability description" }, { "category": "summary", "text": "go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:100795f5d8f6d7add9428e1b4838b67b59db14b0fae7372ab16c6871d4ddb32e_amd64" ], "known_not_affected": [ "8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:5869b9bb375b249851b6a24147fda4aea656e7f831ddae21236b4dc3be1fd8a9_amd64", "8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:2dc9a23e5d386eb265c4387d7e601d06805d2af24f93882bf7eb9724fd98da66_amd64", "8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:4760018938bf0f42306f6b38e88914e5bba0cd04722bea589978f6f7066d77af_amd64", "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e0405b30d399aaf0e37889c857acbb7535535a983ce4f93fe039a2d45d08c906_amd64", "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:dee762e15417ae9e9ea17b357de03a56f46ab1f1e246c96411e4a97f4ee5ac8c_amd64", "8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:3e8aefa1c162233b85e03f981e8b4d97bf6dcdd89e5e94648a3a6042f0443797_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2022-3064" }, { "category": "external", "summary": "RHBZ#2163037", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2163037" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2022-3064", "url": "https://www.cve.org/CVERecord?id=CVE-2022-3064" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-3064", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3064" }, { "category": "external", "summary": "https://github.com/advisories/GHSA-6q6q-88xp-6f2r", "url": "https://github.com/advisories/GHSA-6q6q-88xp-6f2r" }, { "category": "external", "summary": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5", "url": "https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5" }, { "category": "external", "summary": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4", "url": "https://github.com/go-yaml/yaml/releases/tag/v2.2.4" }, { "category": "external", "summary": "https://pkg.go.dev/vuln/GO-2022-0956", "url": "https://pkg.go.dev/vuln/GO-2022-0956" } ], "release_date": "2022-08-29T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-17T04:12:08+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:100795f5d8f6d7add9428e1b4838b67b59db14b0fae7372ab16c6871d4ddb32e_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0804" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:100795f5d8f6d7add9428e1b4838b67b59db14b0fae7372ab16c6871d4ddb32e_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents" }, { "cve": "CVE-2023-23947", "discovery_date": "2023-02-07T00:00:00+00:00", "flags": [ { "label": "vulnerable_code_not_present", "product_ids": [ "8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:5869b9bb375b249851b6a24147fda4aea656e7f831ddae21236b4dc3be1fd8a9_amd64", "8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:2dc9a23e5d386eb265c4387d7e601d06805d2af24f93882bf7eb9724fd98da66_amd64", "8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:4760018938bf0f42306f6b38e88914e5bba0cd04722bea589978f6f7066d77af_amd64", "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e0405b30d399aaf0e37889c857acbb7535535a983ce4f93fe039a2d45d08c906_amd64", "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:dee762e15417ae9e9ea17b357de03a56f46ab1f1e246c96411e4a97f4ee5ac8c_amd64", "8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:3e8aefa1c162233b85e03f981e8b4d97bf6dcdd89e5e94648a3a6042f0443797_amd64" ] } ], "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "2167819" } ], "notes": [ { "category": "description", "text": "A flaw was found in ArgoCD. An improper authorization bug may allow an attacker to update at least one cluster secret, enabling them to change any other cluster secret. The attacker must know the URL for the targeted cluster and additionally it should be authenticated within the ArgoCD API server with enough privileges to update at least one cluster. A successful attack may lead to privilege escalations or denial of service.", "title": "Vulnerability description" }, { "category": "summary", "text": "ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:100795f5d8f6d7add9428e1b4838b67b59db14b0fae7372ab16c6871d4ddb32e_amd64" ], "known_not_affected": [ "8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:5869b9bb375b249851b6a24147fda4aea656e7f831ddae21236b4dc3be1fd8a9_amd64", "8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:2dc9a23e5d386eb265c4387d7e601d06805d2af24f93882bf7eb9724fd98da66_amd64", "8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:4760018938bf0f42306f6b38e88914e5bba0cd04722bea589978f6f7066d77af_amd64", "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:e0405b30d399aaf0e37889c857acbb7535535a983ce4f93fe039a2d45d08c906_amd64", "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:dee762e15417ae9e9ea17b357de03a56f46ab1f1e246c96411e4a97f4ee5ac8c_amd64", "8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:3e8aefa1c162233b85e03f981e8b4d97bf6dcdd89e5e94648a3a6042f0443797_amd64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2023-23947" }, { "category": "external", "summary": "RHBZ#2167819", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2167819" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2023-23947", "url": "https://www.cve.org/CVERecord?id=CVE-2023-23947" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-23947", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23947" }, { "category": "external", "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j", "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j" } ], "release_date": "2023-02-16T20:51:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2023-02-17T04:12:08+00:00", "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", "product_ids": [ "8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:100795f5d8f6d7add9428e1b4838b67b59db14b0fae7372ab16c6871d4ddb32e_amd64" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2023:0804" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:100795f5d8f6d7add9428e1b4838b67b59db14b0fae7372ab16c6871d4ddb32e_amd64" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets" } ] }
ghsa-3jfq-742w-xg8j
Vulnerability from github
Impact
All Argo CD versions starting with v2.3.0-rc1 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret.
The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters).
How the Attack Works
Argo CD stores cluster access configurations as Kubernetes Secrets. To take advantage of the vulnerability, an attacker must know the server URL for the cluster secret they want to modify.
The attacker must be authenticated with the Argo CD API server, and they must be authorized to update at least one (non project-scoped) cluster. Then they must craft a malicious request to the Argo CD API server.
Removing Deployment Restrictions
A cluster Secret's clusterResources
field determines whether Argo CD users may deploy cluster-scoped resources to that cluster. The namespaces
field determines the namespaces to which Argo CD users may deploy resources.
You can use this command to determine whether any of your cluster configurations employ these restrictions (replace argocd
with the namespace of your Argo CD installation):
shell
kubectl get secret -n argocd -l 'argocd.argoproj.io/secret-type=cluster' -ojson | jq '.items |
map(.data |= with_entries(.value |= @base64d)) | # base64-decode secrets
map(select(.data | (
(.clusterResources != null and .clusterResources == "false") or # we deny cluster-scoped resource management
(.namespaces != null and .namespaces != "") # we are only managing certain clusters
)) | .metadata.name)'
The clusterResources
and namespaces
fields are one line of defense against unauthorized management of Kubernetes resources. Users should also have AppProject and RBAC restrictions in place.
If clusterResources: "false"
or namespaces: "some,namespaces"
are the only mechanisms preventing an attacker from maliciously managing certain resources via Argo CD, then this vulnerability could allow that attacker to manage out-of-bounds resources via Argo CD (create, get, update, delete).
Modifying Connection Parameters
Cluster secrets also hold client configuration for connecting to the remote cluster. One option is to skip TLS certificate verification. An attacker could disable certificate verification in an effort to achieve a malicious-in-the-middle (MITM) attack.
Alternatively, an attacker could apply an invalid configuration (for example, by setting an invalid bearer token) and achieve a denial-of-service by preventing Argo CD from managing the target cluster.
Changing Unscoped Clusters to be Scoped
The vulnerability also allows an attacker to modify a previously-unscoped cluster and make it scoped. This is important if you are using permitOnlyProjectScopedClusters: true
in a project under which the attacker can deploy. By scoping a previously-unscoped cluster under that project, they can grant themselves the ability to manage resources on the target cluster.
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
- v2.6.2
- v2.5.11
- v2.4.23
- v2.3.17
Workarounds
The best way to mitigate the vulnerability is to upgrade. The following two sections explain other ways to mitigate the vulnerability if you are currently unable to upgrade.
Limit Users with Cluster Update Access
The only complete mitigation besides upgrading is to modify your RBAC configuration to completely revoke all clusters, update
access.
To exploit this vulnerability, an attacker must have access to update at least one cluster configuration. Check your RBAC configuration, for lines like this:
p, role:developers, clusters, update, *, allow
p, role:developers, clusters, *, *, allow
p, role:developers, *, update, *, allow
Revoke clusters, update
access for any users who do not absolutely need that access.
Restrict Resource Management via AppProjects and RBAC
AppProjects are a primary tool to restrict what resources may be managed via Argo CD.
You can use the destinations
and clusterResourceWhitelist
fields to apply similar restrictions as the namespaces
and clusterResources
fields described above.
yaml
apiVersion: argoproj.io/v1alpha1
kind: AppProject
spec:
destinations:
# Only allow Applications managed by this AppProject to manage to the `allowed-namespace` namespace.
- namespace: 'allowed-namespace'
server: 'https://your-server'
# Do not allow Applications managed by this AppProject to manage any cluster-scoped resources.
clusterResourceWhitelist: []
Along with adding AppProject restrictions, make sure that your RBAC restrictions are strict enough.
For example, limit projects, update
access to Argo CD administrators only. Also use the {project}
field in applications, *, {project}/{application}
field to limit users' access to certain, restricted, AppProjects.
AppProject restrictions can only prevent Applications from managing out-of-bounds resources. It cannot prevent an attacker from maliciously changing cluster connection TLS configuration.
For more information
- Open an issue in the Argo CD issue tracker or discussions
- Join us on Slack in channel #argo-cd
{ "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/argoproj/argo-cd" }, "ranges": [ { "events": [ { "introduced": "2.3.0" }, { "fixed": "2.3.17" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Go", "name": "github.com/argoproj/argo-cd" }, "ranges": [ { "events": [ { "introduced": "2.4.0" }, { "fixed": "2.4.23" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Go", "name": "github.com/argoproj/argo-cd" }, "ranges": [ { "events": [ { "introduced": "2.5.0" }, { "fixed": "2.5.11" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Go", "name": "github.com/argoproj/argo-cd" }, "ranges": [ { "events": [ { "introduced": "2.6.0" }, { "fixed": "2.6.2" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2023-23947" ], "database_specific": { "cwe_ids": [ "CWE-863" ], "github_reviewed": true, "github_reviewed_at": "2023-02-16T20:47:25Z", "nvd_published_at": "2023-02-16T18:15:00Z", "severity": "CRITICAL" }, "details": "### Impact\n\nAll Argo CD versions starting with v2.3.0-rc1 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret.\n\nThe attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters).\n\n#### How the Attack Works\n\nArgo CD stores [cluster access configurations](https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters) as Kubernetes Secrets. To take advantage of the vulnerability, an attacker must know the server URL for the cluster secret they want to modify. \n\nThe attacker must be authenticated with the Argo CD API server, and they must be authorized to update at least one ([non project-scoped](https://argo-cd.readthedocs.io/en/stable/user-guide/projects/#project-scoped-repositories-and-clusters)) cluster. Then they must craft a malicious request to the Argo CD API server.\n\n#### Removing Deployment Restrictions\n\nA cluster Secret\u0027s `clusterResources` field determines whether Argo CD users may deploy cluster-scoped resources to that cluster. The `namespaces` field determines the namespaces to which Argo CD users may deploy resources.\n\nYou can use this command to determine whether any of your cluster configurations employ these restrictions (replace `argocd` with the namespace of your Argo CD installation):\n\n```shell\nkubectl get secret -n argocd -l \u0027argocd.argoproj.io/secret-type=cluster\u0027 -ojson | jq \u0027.items |\n map(.data |= with_entries(.value |= @base64d)) | # base64-decode secrets\n map(select(.data | (\n (.clusterResources != null and .clusterResources == \"false\") or # we deny cluster-scoped resource management\n (.namespaces != null and .namespaces != \"\") # we are only managing certain clusters\n )) | .metadata.name)\u0027\n```\n\nThe `clusterResources` and `namespaces` fields are one line of defense against unauthorized management of Kubernetes resources. Users should also have AppProject and RBAC restrictions in place.\n\nIf `clusterResources: \"false\"` or `namespaces: \"some,namespaces\"` are the _only_ mechanisms preventing an attacker from maliciously managing certain resources via Argo CD, then this vulnerability could allow that attacker to manage out-of-bounds resources via Argo CD (create, get, update, delete).\n\n#### Modifying Connection Parameters\n\nCluster secrets also hold client configuration for connecting to the remote cluster. One option is to skip TLS certificate verification. An attacker could disable certificate verification in an effort to achieve a malicious-in-the-middle (MITM) attack.\n\nAlternatively, an attacker could apply an invalid configuration (for example, by setting an invalid bearer token) and achieve a denial-of-service by preventing Argo CD from managing the target cluster.\n\n#### Changing Unscoped Clusters to be Scoped\n\nThe vulnerability also allows an attacker to modify a previously-unscoped cluster and make it [scoped](https://argo-cd.readthedocs.io/en/stable/user-guide/projects/#project-scoped-repositories-and-clusters). This is important if you are using `permitOnlyProjectScopedClusters: true` in a project under which the attacker can deploy. By scoping a previously-unscoped cluster under that project, they can grant themselves the ability to manage resources on the target cluster.\n\n### Patches\n\nA patch for this vulnerability has been released in the following Argo CD versions:\n\n* v2.6.2\n* v2.5.11\n* v2.4.23\n* v2.3.17\n\n### Workarounds\n\nThe best way to mitigate the vulnerability is to upgrade. The following two sections explain other ways to mitigate the vulnerability if you are currently unable to upgrade.\n\n#### Limit Users with Cluster Update Access\n\nThe only complete mitigation besides upgrading is to modify your RBAC configuration to completely revoke all `clusters, update` access.\n\nTo exploit this vulnerability, an attacker must have access to update at least one cluster configuration. Check your [RBAC configuration](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/), for lines like this:\n\n```\np, role:developers, clusters, update, *, allow\np, role:developers, clusters, *, *, allow\np, role:developers, *, update, *, allow\n```\n\nRevoke `clusters, update` access for any users who do not absolutely need that access.\n\n#### Restrict Resource Management via AppProjects and RBAC\n\n[AppProjects](https://argo-cd.readthedocs.io/en/stable/user-guide/projects/#projects) are a primary tool to restrict what resources may be managed via Argo CD.\n\nYou can use the `destinations` and `clusterResourceWhitelist` fields to apply similar restrictions as the `namespaces` and `clusterResources` fields described above.\n\n```yaml\napiVersion: argoproj.io/v1alpha1\nkind: AppProject\nspec:\n destinations:\n # Only allow Applications managed by this AppProject to manage to the `allowed-namespace` namespace.\n - namespace: \u0027allowed-namespace\u0027\n server: \u0027https://your-server\u0027\n # Do not allow Applications managed by this AppProject to manage any cluster-scoped resources.\n clusterResourceWhitelist: []\n```\n\nAlong with adding AppProject restrictions, make sure that your RBAC restrictions are strict enough.\n\nFor example, limit `projects, update` access to Argo CD administrators only. Also use the `{project}` field in `applications, *, {project}/{application}` field to limit users\u0027 access to certain, restricted, AppProjects. \n\nAppProject restrictions can only prevent Applications from managing out-of-bounds resources. It cannot prevent an attacker from maliciously changing cluster connection TLS configuration.\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n", "id": "GHSA-3jfq-742w-xg8j", "modified": "2023-02-16T20:47:25Z", "published": "2023-02-16T20:47:25Z", "references": [ { "type": "WEB", "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23947" }, { "type": "WEB", "url": "https://github.com/argoproj/argo-cd/commit/fbb0b99b1ac3361b253052bd30259fa43a520945" }, { "type": "PACKAGE", "url": "https://github.com/argoproj/argo-cd" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "type": "CVSS_V3" } ], "summary": "Users with any cluster secret update access may update out-of-bounds cluster secrets" }
gsd-2023-23947
Vulnerability from gsd
{ "GSD": { "alias": "CVE-2023-23947", "id": "GSD-2023-23947", "references": [ "https://access.redhat.com/errata/RHSA-2023:0802", "https://access.redhat.com/errata/RHSA-2023:0803", "https://access.redhat.com/errata/RHSA-2023:0804" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2023-23947" ], "details": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters). A patch for this vulnerability has been released in Argo CD versions 2.6.2, 2.5.11, 2.4.23, and 2.3.17. Two workarounds are available. Either modify the RBAC configuration to completely revoke all `clusters, update` access, or use the `destinations` and `clusterResourceWhitelist` fields to apply similar restrictions as the `namespaces` and `clusterResources` fields.", "id": "GSD-2023-23947", "modified": "2023-12-13T01:20:50.274073Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2023-23947", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "argo-cd", "version": { "version_data": [ { "version_affected": "=", "version_value": "\u003e= 2.3.0-rc1, \u003c 2.3.17" }, { "version_affected": "=", "version_value": "\u003e= 2.4.0, \u003c 2.4.23" }, { "version_affected": "=", "version_value": "\u003e= 2.5.0, \u003c 2.5.11" }, { "version_affected": "=", "version_value": "\u003e= 2.6.0, \u003c 2.6.2" } ] } } ] }, "vendor_name": "argoproj" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters). A patch for this vulnerability has been released in Argo CD versions 2.6.2, 2.5.11, 2.4.23, and 2.3.17. Two workarounds are available. Either modify the RBAC configuration to completely revoke all `clusters, update` access, or use the `destinations` and `clusterResourceWhitelist` fields to apply similar restrictions as the `namespaces` and `clusterResources` fields." } ] }, "impact": { "cvss": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "cweId": "CWE-863", "lang": "eng", "value": "CWE-863: Incorrect Authorization" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j", "refsource": "MISC", "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j" }, { "name": "https://github.com/argoproj/argo-cd/commit/fbb0b99b1ac3361b253052bd30259fa43a520945", "refsource": "MISC", "url": "https://github.com/argoproj/argo-cd/commit/fbb0b99b1ac3361b253052bd30259fa43a520945" } ] }, "source": { "advisory": "GHSA-3jfq-742w-xg8j", "discovery": "UNKNOWN" } }, "gitlab.com": { "advisories": [ { "affected_range": "\u003e=2.3.0 \u003c2.3.17||\u003e=2.4.0 \u003c2.4.23||\u003e=2.5.0 \u003c2.5.11||\u003e=2.6.0 \u003c2.6.2", "affected_versions": "All versions starting from 2.3.0 before 2.3.17, all versions starting from 2.4.0 before 2.4.23, all versions starting from 2.5.0 before 2.5.11, all versions starting from 2.6.0 before 2.6.2", "cwe_ids": [ "CWE-1035", "CWE-937" ], "date": "2023-02-16", "description": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 is vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters). A patch for this vulnerability has been released in Argo CD versions 2.6.2, 2.5.11, 2.4.23, and 2.3.17. Two workarounds are available. Either modify the RBAC configuration to completely revoke all `clusters, update` access, or use the `destinations` and `clusterResourceallow list` fields to apply similar restrictions as the `namespaces` and `clusterResources` fields.", "fixed_versions": [ "2.3.17", "2.4.23", "2.5.11", "2.6.2" ], "identifier": "CVE-2023-23947", "identifiers": [ "GHSA-3jfq-742w-xg8j", "CVE-2023-23947" ], "not_impacted": "All versions before 2.3.0, all versions starting from 2.3.17 before 2.4.0, all versions starting from 2.4.23 before 2.5.0, all versions starting from 2.5.11 before 2.6.0, all versions starting from 2.6.2", "package_slug": "go/github.com/argoproj/argo-cd", "pubdate": "2023-02-16", "solution": "Upgrade to versions 2.3.17, 2.4.23, 2.5.11, 2.6.2 or above.", "title": "Users with any cluster secret update access may update out-of-bounds cluster secrets", "urls": [ "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j", "https://nvd.nist.gov/vuln/detail/CVE-2023-23947", "https://github.com/argoproj/argo-cd/commit/fbb0b99b1ac3361b253052bd30259fa43a520945", "https://github.com/advisories/GHSA-3jfq-742w-xg8j" ], "uuid": "3ee0cc01-2d98-43b2-a605-236cc50eb948" } ] }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.6.2", "versionStartIncluding": "2.6.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.5.11", "versionStartIncluding": "2.5.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.4.23", "versionStartIncluding": "2.4.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.3.17", "versionStartIncluding": "2.3.0", "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2023-23947" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters). A patch for this vulnerability has been released in Argo CD versions 2.6.2, 2.5.11, 2.4.23, and 2.3.17. Two workarounds are available. Either modify the RBAC configuration to completely revoke all `clusters, update` access, or use the `destinations` and `clusterResourceWhitelist` fields to apply similar restrictions as the `namespaces` and `clusterResources` fields." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-863" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/argoproj/argo-cd/commit/fbb0b99b1ac3361b253052bd30259fa43a520945", "refsource": "MISC", "tags": [ "Patch" ], "url": "https://github.com/argoproj/argo-cd/commit/fbb0b99b1ac3361b253052bd30259fa43a520945" }, { "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j", "refsource": "MISC", "tags": [ "Vendor Advisory" ], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j" } ] } }, "impact": { "baseMetricV3": { "cvssV3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "exploitabilityScore": 1.8, "impactScore": 6.0 } }, "lastModifiedDate": "2023-02-27T18:00Z", "publishedDate": "2023-02-16T18:15Z" } } }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.