Bug 2236530 (CVE-2023-40584)
| Summary: | CVE-2023-40584 ArgoCD: Denial of Service to Argo CD repo-server | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marco Benatto <mbenatto> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | security-response-team, shbose |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ArgoCD 2.6, ArgoCD 2.7, ArgoCD 2.8 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in ArgoCD, where it failed to properly validate the user-controlled tar.gz file uploaded to the repo-server component. As a result, a maliciously crafted tar.gz file sent by a low-privileged user may result in resource starvation and further denial of service of the ArgoCD server. Additionally, the lack of permissions checking for the inner files in the tar.gz file may lead to an attacker creating files that cannot be further deleted from the server.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2233201 | ||
|
Description
Marco Benatto
2023-08-31 15:58:14 UTC
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.9 Via RHSA-2023:5029 https://access.redhat.com/errata/RHSA-2023:5029 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.8 Via RHSA-2023:5030 https://access.redhat.com/errata/RHSA-2023:5030 |