Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-6p4m-hw2h-6gmw #1512

Closed
GoVulnBot opened this issue Jan 25, 2023 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-6p4m-hw2h-6gmw #1512

GoVulnBot opened this issue Jan 25, 2023 · 3 comments
Assignees
@maceonthompson
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-6p4m-hw2h-6gmw, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/argoproj/argo-cd 2.6.0-rc5 = 2.6.0-rc4

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/argoproj/argo-cd
    versions:
      - introduced: TODO (earliest fixed "2.6.0-rc5", vuln range "= 2.6.0-rc4")
    packages:
      - package: github.com/argoproj/argo-cd
  - module: github.com/argoproj/argo-cd
    versions:
      - introduced: 2.5.0-rc1
        fixed: 2.5.8
    packages:
      - package: github.com/argoproj/argo-cd
description: "### Impact\n\nAll Argo CD versions starting with 2.5.0-rc1 are vulnerable
    to an authorization bypass bug which allows a malicious Argo CD user to deploy
    Applications outside the configured allowed namespaces. \n\n#### Description of
    exploit\n\nReconciled Application namespaces are specified as a comma-delimited
    list of glob patterns. When sharding is enabled on the Application controller,
    it does not enforce that list of patterns when reconciling Applications. For example,
    if Application namespaces are configured to be `argocd-*`, the Application controller
    may reconcile an Application installed in a namespace called `other`, even though
    it does not start with `argocd-`.\n\nReconciliation of the out-of-bounds Application
    is only triggered when the Application is updated, so the attacker must be able
    to cause an update operation on the Application resource.\n\n#### Limitations\n\nThis
    bug only applies to users who have explicitly enabled the \"apps-in-any-namespace\"
    feature by setting `application.namespaces` in the argocd-cmd-params-cm ConfigMap
    or otherwise setting the `--application-namespaces` flags on the Application controller
    and API server components. The apps-in-any-namespace feature is in beta as of
    this Security Advisory's publish date.\n\nThe bug is also limited to Argo CD instances
    where sharding is enabled by increasing the `replicas` count for the Application
    controller.\n\nFinally, the AppProjects' `sourceNamespaces` field acts as a secondary
    check against this exploit. To cause reconciliation of an Application in an out-of-bounds
    namespace, an AppProject must be available which permits Applications in the out-of-bounds
    namespace.\n\n### Patches\n\nA patch for this vulnerability has been released
    in the following Argo CD versions:\n\n* v2.5.8\n* v2.6.0-rc5\n\n### Workarounds\n\nRunning
    only one replica of the Application controller will prevent exploitation of this
    bug.\n\nMaking sure all AppProjects' `sourceNamespaces` are restricted within
    the confines of the configured Application namespaces will also prevent exploitation
    of this bug.\n\n### Credits\n\nThanks to ChangZhuo Chen (@czchen) for finding
    the issue and for contributing the fix!\n\n### References\n\n* [Documentation
    for apps-in-any-namespace](https://argo-cd--10678.org.readthedocs.build/en/10678/operator-manual/app-any-namespace/)\n\n###
    For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues)
    or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on
    [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n\n"
cves:
  - CVE-2023-22736
ghsas:
  - GHSA-6p4m-hw2h-6gmw
@maceonthompson maceonthompson added the excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. label Feb 6, 2023
@maceonthompson maceonthompson self-assigned this Feb 6, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/466475 mentions this issue: data/excluded: batch add GO-2023-1527, GO-2023-1524, GO-2023-1516, GO-2023-1514, GO-2023-1513, GO-2023-1511, GO-2023-1523, GO-2023-1522, GO-2023-1520, GO-2023-1512

@maceonthompson maceonthompson mentioned this issue Feb 8, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Feb 16, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Mar 27, 2023
Closed
This was referenced Aug 23, 2023
Closed
Closed
This was referenced Sep 8, 2023
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Sep 27, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Jan 19, 2024
Closed
This was referenced Mar 18, 2024
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Apr 15, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Apr 26, 2024
Closed
This was referenced May 21, 2024
Closed
Closed
This was referenced Jun 7, 2024
Closed
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592759 mentions this issue: data/reports: unexclude 75 reports

@GoVulnBot GoVulnBot mentioned this issue Jul 24, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606782 mentions this issue: data/reports: unexclude 20 reports (2)

gopherbot pushed a commit that referenced this issue Aug 20, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (2)
a585aa5 
  - data/reports/GO-2023-1512.yaml
  - data/reports/GO-2023-1520.yaml
  - data/reports/GO-2023-1524.yaml
  - data/reports/GO-2023-1527.yaml
  - data/reports/GO-2023-1533.yaml
  - data/reports/GO-2023-1541.yaml
  - data/reports/GO-2023-1542.yaml
  - data/reports/GO-2023-1543.yaml
  - data/reports/GO-2023-1544.yaml
  - data/reports/GO-2023-1550.yaml
  - data/reports/GO-2023-1551.yaml
  - data/reports/GO-2023-1552.yaml
  - data/reports/GO-2023-1553.yaml
  - data/reports/GO-2023-1554.yaml
  - data/reports/GO-2023-1555.yaml
  - data/reports/GO-2023-1560.yaml
  - data/reports/GO-2023-1577.yaml
  - data/reports/GO-2023-1581.yaml
  - data/reports/GO-2023-1582.yaml
  - data/reports/GO-2023-1583.yaml

Updates #1512
Updates #1520
Updates #1524
Updates #1527
Updates #1533
Updates #1541
Updates #1542
Updates #1543
Updates #1544
Updates #1550
Updates #1551
Updates #1552
Updates #1553
Updates #1554
Updates #1555
Updates #1560
Updates #1577
Updates #1581
Updates #1582
Updates #1583

Change-Id: I6a2829acd39b6e598b81e8138e6d126128073198
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606782
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@maceonthompson maceonthompson

Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @maceonthompson @GoVulnBot