rhsa-2023_0468
Vulnerability from csaf_redhat
Published
2023-01-25 20:48
Modified
2024-09-16 10:08
Summary
Red Hat Security Advisory: Red Hat OpenShift GitOps security update
Notes
Topic
An update is now available for Red Hat OpenShift GitOps 1.5.9
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.
Security Fix(es):
* ArgoCD: JWT audience claim is not verified (CVE-2023-22482)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat OpenShift GitOps 1.5.9\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.\n\nSecurity Fix(es):\n\n* ArgoCD: JWT audience claim is not verified (CVE-2023-22482)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2023:0468",
"url": "https://access.redhat.com/errata/RHSA-2023:0468"
},
{
"category": "external",
"summary": "https://docs.openshift.com/container-platform/latest/cicd/gitops/understanding-openshift-gitops.html",
"url": "https://docs.openshift.com/container-platform/latest/cicd/gitops/understanding-openshift-gitops.html"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "2160492",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160492"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2023/rhsa-2023_0468.json"
}
],
"title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update",
"tracking": {
"current_release_date": "2024-09-16T10:08:28+00:00",
"generator": {
"date": "2024-09-16T10:08:28+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHSA-2023:0468",
"initial_release_date": "2023-01-25T20:48:55+00:00",
"revision_history": [
{
"date": "2023-01-25T20:48:55+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2023-01-25T20:48:55+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-16T10:08:28+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift GitOps 1.5",
"product": {
"name": "Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_gitops:1.5::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift GitOps"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift-gitops-1/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80_amd64",
"product": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80_amd64",
"product_id": "openshift-gitops-1/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80_amd64",
"product_identification_helper": {
"purl": "pkg:oci/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/applicationset-rhel8\u0026tag=v1.5.9-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64",
"product": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64",
"product_id": "openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64",
"product_identification_helper": {
"purl": "pkg:oci/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.5.9-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.5.9-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39_amd64",
"product": {
"name": "openshift-gitops-1/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39_amd64",
"product_id": "openshift-gitops-1/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39_amd64",
"product_identification_helper": {
"purl": "pkg:oci/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.5.9-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac_amd64",
"product": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac_amd64",
"product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac_amd64",
"product_identification_helper": {
"purl": "pkg:oci/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.5.9-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12_amd64",
"product": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12_amd64",
"product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.5.9-2"
}
}
},
{
"category": "product_version",
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c_amd64",
"product": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c_amd64",
"product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.5.9-2"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80_amd64"
},
"product_reference": "openshift-gitops-1/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64"
},
"product_reference": "openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39_amd64"
},
"product_reference": "openshift-gitops-1/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12_amd64"
},
"product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb_amd64"
},
"product_reference": "openshift-gitops-1/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift-gitops-1/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac_amd64 as a component of Red Hat OpenShift GitOps 1.5",
"product_id": "8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac_amd64"
},
"product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac_amd64",
"relates_to_product_reference": "8Base-GitOps-1.5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-22482",
"discovery_date": "2023-01-12T00:00:00+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac_amd64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2160492"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in ArgoCD. GitOps is vulnerable to an improper authorization bug where the API may accept invalid tokens. ID providers include an audience claim in signed tokens, which may be used to restrict which services can accept the token. ArgoCD doesn\u0027t properly validate the audience claim in such scenarios; if the ID provider used with ArgoCD is also being used with other audiences, it will accept tokens that may not be intended to access the ArgoCD cluster.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ArgoCD: JWT audience claim is not verified",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64"
],
"known_not_affected": [
"8Base-GitOps-1.5:openshift-gitops-1/applicationset-rhel8@sha256:e63b945a5f62319fcfe8559f68c7127d4386d33d0d7d87b8554f1c67a5354f80_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/dex-rhel8@sha256:f83063a735fd601ed6c9badf144c7963abc834571fe272f428d30063f2ca0f39_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-operator-bundle@sha256:60ee169761c3fa98312f1022d870a226900dc37b19a6270198df66579b9bdf12_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8-operator@sha256:548c57659461dee45b766ab47b7bcc8a6d4255deeed8b99d7fba4937bc40f31c_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/gitops-rhel8@sha256:2389a7a4bede3fc1c10a49f7f460d2f140fdfd60d5fa38b436000e0218e0ffbb_amd64",
"8Base-GitOps-1.5:openshift-gitops-1/kam-delivery-rhel8@sha256:e3255a77de859d34ad39297909111afbb9d66ee573b29d452b653658325b06ac_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2023-22482"
},
{
"category": "external",
"summary": "RHBZ#2160492",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2160492"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2023-22482",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22482"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2023-22482",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22482"
},
{
"category": "external",
"summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc",
"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc"
}
],
"release_date": "2023-01-25T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2023:0468"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"8Base-GitOps-1.5:openshift-gitops-1/argocd-rhel8@sha256:b0e09d746f60c42614807bd3d1e3930fbec29f4c8520c2f77c737c1d1313df36_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ArgoCD: JWT audience claim is not verified"
}
]
}
Loading...