Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40029 #2049

Closed
GoVulnBot opened this issue Sep 8, 2023 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40029 #2049

GoVulnBot opened this issue Sep 8, 2023 · 3 comments
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.

Comments

@GoVulnBot
Copy link

CVE-2023-40029 references github.com/argoproj/argo-cd, which may be a Go module.

Description:
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored inkubectl.kubernetes.io/last-applied-configuration annotation. pull request #7139 introduced the ability to manage cluster labels and annotations. Since clusters are stored as secrets it also exposes the kubectl.kubernetes.io/last-applied-configuration annotation which includes full secret body. In order to view the cluster annotations via the Argo CD API, the user must have clusters, get RBAC access. Note: In many cases, cluster secrets do not contain any actually-secret information. But sometimes, as in bearer-token auth, the contents might be very sensitive. The bug has been patched in versions 2.8.3, 2.7.14, and 2.6.15. Users are advised to upgrade. Users unable to upgrade should update/deploy cluster secret with server-side-apply flag which does not use or rely on kubectl.kubernetes.io/last-applied-configuration annotation. Note: annotation for existing secrets will require manual removal.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/argoproj/argo-cd
      vulnerable_at: 1.8.6
      packages:
        - package: argo-cd
description: |-
    Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster
    secrets might be managed declaratively using Argo CD / kubectl apply. As a
    result, the full secret body is stored
    in`kubectl.kubernetes.io/last-applied-configuration` annotation. pull request
    #7139 introduced the ability to manage cluster labels and annotations. Since
    clusters are stored as secrets it also exposes the
    `kubectl.kubernetes.io/last-applied-configuration` annotation which includes
    full secret body. In order to view the cluster annotations via the Argo CD API,
    the user must have `clusters, get` RBAC access. **Note:** In many cases, cluster
    secrets do not contain any actually-secret information. But sometimes, as in
    bearer-token auth, the contents might be very sensitive. The bug has been
    patched in versions 2.8.3, 2.7.14, and 2.6.15. Users are advised to upgrade.
    Users unable to upgrade should update/deploy cluster secret with
    `server-side-apply` flag which does not use or rely on
    `kubectl.kubernetes.io/last-applied-configuration` annotation. Note: annotation
    for existing secrets will require manual removal.
cves:
    - CVE-2023-40029
references:
    - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-fwr2-64vr-xv9m
    - fix: https://github.com/argoproj/argo-cd/pull/7139
    - fix: https://github.com/argoproj/argo-cd/commit/4b2e5b06bff2ffd8ed1970654ddd8e55fc4a41c4
@timothy-king timothy-king self-assigned this Sep 9, 2023
@timothy-king timothy-king added NeedsReport excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. and removed NeedsReport labels Sep 9, 2023
@timothy-king timothy-king removed their assignment Sep 13, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/528596 mentions this issue: data/excluded: batch add 10 excluded reports

@GoVulnBot GoVulnBot mentioned this issue Sep 27, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Jan 19, 2024
Closed
This was referenced Mar 18, 2024
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Apr 15, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Apr 26, 2024
Closed
This was referenced May 21, 2024
Closed
Closed
This was referenced Jun 7, 2024
Closed
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592762 mentions this issue: data/reports: unexclude 75 reports

@GoVulnBot GoVulnBot mentioned this issue Jul 24, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606790 mentions this issue: data/reports: unexclude 20 reports (10)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (10)
7a0b2bb 
  - data/reports/GO-2023-1997.yaml
  - data/reports/GO-2023-1999.yaml
  - data/reports/GO-2023-2001.yaml
  - data/reports/GO-2023-2004.yaml
  - data/reports/GO-2023-2005.yaml
  - data/reports/GO-2023-2006.yaml
  - data/reports/GO-2023-2011.yaml
  - data/reports/GO-2023-2012.yaml
  - data/reports/GO-2023-2014.yaml
  - data/reports/GO-2023-2018.yaml
  - data/reports/GO-2023-2020.yaml
  - data/reports/GO-2023-2022.yaml
  - data/reports/GO-2023-2023.yaml
  - data/reports/GO-2023-2025.yaml
  - data/reports/GO-2023-2026.yaml
  - data/reports/GO-2023-2028.yaml
  - data/reports/GO-2023-2036.yaml
  - data/reports/GO-2023-2038.yaml
  - data/reports/GO-2023-2049.yaml
  - data/reports/GO-2023-2050.yaml

Updates #1997
Updates #1999
Updates #2001
Updates #2004
Updates #2005
Updates #2006
Updates #2011
Updates #2012
Updates #2014
Updates #2018
Updates #2020
Updates #2022
Updates #2023
Updates #2025
Updates #2026
Updates #2028
Updates #2036
Updates #2038
Updates #2049
Updates #2050

Change-Id: Iac9a2efe688e28fa0889e8a14e9b4fea7677a197
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606790
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
This was referenced Jan 28, 2025
Closed
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timothy-king @gopherbot @GoVulnBot