Bug 2167820 (CVE-2022-41354)
Summary: | CVE-2022-41354 ArgoCD: Authenticated but unauthorized users may enumerate Application names via the API | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marco Benatto <mbenatto> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aveerama, ellin, rgarg, scorneli, security-response-team, shbose, ubhargav |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2023-03-23 22:47:00 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 2167489 |
Description
Marco Benatto
2023-02-07 16:11:34 UTC
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.8 Via RHSA-2023:1452 https://access.redhat.com/errata/RHSA-2023:1452 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.6 Via RHSA-2023:1453 https://access.redhat.com/errata/RHSA-2023:1453 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.7 Via RHSA-2023:1454 https://access.redhat.com/errata/RHSA-2023:1454 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-41354 |