Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-25163 #1548

Closed
GoVulnBot opened this issue Feb 8, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-25163 #1548

GoVulnBot opened this issue Feb 8, 2023 · 1 comment
Assignees
@tatianab
Labels
NeedsReport

Comments

@GoVulnBot
Copy link

CVE-2023-25163 references github.com/argoproj/argo-cd, which may be a Go module.

Description:
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have applications, create or applications, update RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has repositories, update access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway. A patch for this vulnerability has been released in version 2.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/argoproj/argo-cd
    packages:
      - package: argo-cd
description: |
    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have `applications, create` or `applications, update` RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has `repositories, update` access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway. A patch for this vulnerability has been released in version 2.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
cves:
  - CVE-2023-25163
references:
  - fix: https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw
  - fix: https://github.com/argoproj/argo-cd/issues/12309
  - fix: https://github.com/argoproj/argo-cd/pull/12320
  - web: https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/
@tatianab tatianab self-assigned this Feb 10, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/468316 mentions this issue: data/reports: add GO-2023-1548.yaml

@GoVulnBot GoVulnBot mentioned this issue Mar 23, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Jul 20, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Sep 27, 2023
Closed
This was referenced Mar 15, 2024
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Mar 29, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue May 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tatianab tatianab

Labels
NeedsReport
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot