rhsa-2022_5192
Vulnerability from csaf_redhat
Published
2022-06-24 20:13
Modified
2024-11-22 19:33
Summary
Red Hat Security Advisory: Red Hat OpenShift GitOps security update

Notes

Topic
An update is now available for Red Hat OpenShift GitOps 1.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Security Fix(es): * argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI. (CVE-2022-31034) * argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI (CVE-2022-31035) * argocd: vulnerable to an uncontrolled memory consumption bug (CVE-2022-31016) * argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access (CVE-2022-31036) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat OpenShift GitOps 1.3.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.\n\nSecurity Fix(es):\n\n* argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI. (CVE-2022-31034)\n\n* argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI (CVE-2022-31035)\n\n* argocd: vulnerable to an uncontrolled memory consumption bug (CVE-2022-31016)\n\n* argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access (CVE-2022-31036)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2022:5192",
        "url": "https://access.redhat.com/errata/RHSA-2022:5192"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "2096278",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096278"
      },
      {
        "category": "external",
        "summary": "2096282",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096282"
      },
      {
        "category": "external",
        "summary": "2096283",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096283"
      },
      {
        "category": "external",
        "summary": "2096291",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096291"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2022/rhsa-2022_5192.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update",
    "tracking": {
      "current_release_date": "2024-11-22T19:33:50+00:00",
      "generator": {
        "date": "2024-11-22T19:33:50+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2022:5192",
      "initial_release_date": "2022-06-24T20:13:56+00:00",
      "revision_history": [
        {
          "date": "2022-06-24T20:13:56+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2022-06-24T20:13:56+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T19:33:50+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenShift GitOps 1.3",
                "product": {
                  "name": "Red Hat OpenShift GitOps 1.3",
                  "product_id": "8Base-GitOps-1.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_gitops:1.3::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift GitOps"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
                "product": {
                  "name": "openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
                  "product_id": "openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/applicationset-rhel8\u0026tag=v1.3.11-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64",
                "product": {
                  "name": "openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64",
                  "product_id": "openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.3.11-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
                "product": {
                  "name": "openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
                  "product_id": "openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.3.11-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
                "product": {
                  "name": "openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
                  "product_id": "openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.3.11-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64",
                "product": {
                  "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64",
                  "product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.3.11-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
                "product": {
                  "name": "openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
                  "product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.3.11-4"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
                "product": {
                  "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
                  "product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.3.11-4"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64 as a component of Red Hat OpenShift GitOps 1.3",
          "product_id": "8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64"
        },
        "product_reference": "openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
        "relates_to_product_reference": "8Base-GitOps-1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64 as a component of Red Hat OpenShift GitOps 1.3",
          "product_id": "8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
        },
        "product_reference": "openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64",
        "relates_to_product_reference": "8Base-GitOps-1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64 as a component of Red Hat OpenShift GitOps 1.3",
          "product_id": "8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64"
        },
        "product_reference": "openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
        "relates_to_product_reference": "8Base-GitOps-1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64 as a component of Red Hat OpenShift GitOps 1.3",
          "product_id": "8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64"
        },
        "product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
        "relates_to_product_reference": "8Base-GitOps-1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64 as a component of Red Hat OpenShift GitOps 1.3",
          "product_id": "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64"
        },
        "product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
        "relates_to_product_reference": "8Base-GitOps-1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64 as a component of Red Hat OpenShift GitOps 1.3",
          "product_id": "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64"
        },
        "product_reference": "openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
        "relates_to_product_reference": "8Base-GitOps-1.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64 as a component of Red Hat OpenShift GitOps 1.3",
          "product_id": "8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
        },
        "product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64",
        "relates_to_product_reference": "8Base-GitOps-1.3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-31016",
      "cwe": {
        "id": "CWE-770",
        "name": "Allocation of Resources Without Limits or Throttling"
      },
      "discovery_date": "2022-06-13T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2096283"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in ArgoCD, which is vulnerable to an uncontrolled memory consumption bug. A crafted manifest file can lead the ArgoCD\u0027s repo-server component to crash, causing a denial of service. The attacker must be an authenticated user to exploit this vulnerability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "argocd: vulnerable to an uncontrolled memory consumption bug",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
        ],
        "known_not_affected": [
          "8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-31016"
        },
        {
          "category": "external",
          "summary": "RHBZ#2096283",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096283"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-31016",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-31016"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31016",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31016"
        },
        {
          "category": "external",
          "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq",
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq"
        }
      ],
      "release_date": "2022-06-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-06-24T20:13:56+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5192"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "argocd: vulnerable to an uncontrolled memory consumption bug"
    },
    {
      "cve": "CVE-2022-31034",
      "cwe": {
        "id": "CWE-331",
        "name": "Insufficient Entropy"
      },
      "discovery_date": "2022-06-13T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2096282"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Several Single sign-on (SSO) vulnerabilities were found in ArgoCD when the login process is initiated via CLI or UI interfaces. The vulnerabilities are related to using insufficiently random value parameters during the login process. This flaw gives the attacker elevated privileges, including the possibility of administrative rights.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
        ],
        "known_not_affected": [
          "8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-31034"
        },
        {
          "category": "external",
          "summary": "RHBZ#2096282",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096282"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-31034",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-31034"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31034",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31034"
        },
        {
          "category": "external",
          "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v",
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v"
        }
      ],
      "release_date": "2022-06-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-06-24T20:13:56+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5192"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI."
    },
    {
      "cve": "CVE-2022-31035",
      "cwe": {
        "id": "CWE-80",
        "name": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"
      },
      "discovery_date": "2022-06-13T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2096278"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A Cross-site scripting (XSS) flaw was found in ArgoCD. This flaw allows a malicious actor to trigger a Cross-site scripting (XSS) vulnerability by storing a link point to a javascript code in ArgoCD UI. A successful attack depends on a user clicking the malicious link and triggering the function available in the UI without the user\u0027s knowledge. The actions done by the malicious code will run with the same victim\u0027s level of access, including administrative privileges, if the victim has this level of permission.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
        ],
        "known_not_affected": [
          "8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-31035"
        },
        {
          "category": "external",
          "summary": "RHBZ#2096278",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096278"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-31035",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-31035"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31035",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31035"
        },
        {
          "category": "external",
          "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj",
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj"
        }
      ],
      "release_date": "2022-06-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-06-24T20:13:56+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5192"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI"
    },
    {
      "cve": "CVE-2022-31036",
      "cwe": {
        "id": "CWE-61",
        "name": "UNIX Symbolic Link (Symlink) Following"
      },
      "discovery_date": "2022-06-13T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
            "8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2096291"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A symlink following vulnerability was found in ArgoCD. A malicious user with write access can commit a symlink pointing to a file outside the expected directories. Once the Helm-type application consumes this symlink, the attacker can read the content of the file referenced by the symbolic link, compromising the confidentiality of other projects under the same ArgoCD installation.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
        ],
        "known_not_affected": [
          "8Base-GitOps-1.3:openshift-gitops-1/applicationset-rhel8@sha256:6c8043e2061c4d6589dfbeb30d99260bf0bdcd7639015054683eaf288af11095_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/dex-rhel8@sha256:2705a2930cf7b73b4af7b2626b2380326f20ada60e98a4d7e3aee0de89a27d57_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/gitops-operator-bundle@sha256:93a1cbe44b5009f700e85e2f5a88de0fc3d4f7a3fe30240456899ea5e097ac5b_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8-operator@sha256:ac6776a3a10b7234b876ae79c9f8e2c40412f7279ee65fa8805c8184d266719e_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/gitops-rhel8@sha256:df385ec48f934f910b16a3c05357002ed1744f6765b8ade3dc7ca3b40ba5d642_amd64",
          "8Base-GitOps-1.3:openshift-gitops-1/kam-delivery-rhel8@sha256:b3961cafdf0c02c12523cee1bca91539321c37da1efa066c07013ed2085da0e2_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-31036"
        },
        {
          "category": "external",
          "summary": "RHBZ#2096291",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2096291"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-31036",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-31036"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-31036",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31036"
        },
        {
          "category": "external",
          "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm",
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm"
        }
      ],
      "release_date": "2022-06-15T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2022-06-24T20:13:56+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2022:5192"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-GitOps-1.3:openshift-gitops-1/argocd-rhel8@sha256:e34286b0a47918cf61a627697c59fc7be35ffe4b9be484e6cf6e377ab20f0187_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.