Bug 2269479 (CVE-2023-50726)
Summary: | CVE-2023-50726 Argo CD: Users with `create` but not `override` privileges can perform local sync | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aveerama, rgarg, shbose, ubhargav |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | argo-cd 2.10.3, argo-cd 2.9.8, argo-cd 2.8.12 | Doc Type: | --- |
Doc Text: |
A flaw was found in the Argo CD package. An improper validation bug allows users to sync local manifests on app creation, who have create privileges but not override privileges. All other restrictions, including AppProject restrictions, are still enforced. The only restriction that is not enforced is that the manifests come from some approved git/Helm/OCI source.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2269480 | ||
Bug Blocks: | 2269481 |
Description
Avinash Hanwate
2024-03-14 04:59:54 UTC
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.11 Via RHSA-2024:1697 https://access.redhat.com/errata/RHSA-2024:1697 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.10 Via RHSA-2024:1700 https://access.redhat.com/errata/RHSA-2024:1700 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.12 Red Hat OpenShift GitOps 1.12 - RHEL 9 Via RHSA-2024:1752 https://access.redhat.com/errata/RHSA-2024:1752 This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.12 Red Hat OpenShift GitOps 1.12 - RHEL 9 Via RHSA-2024:1753 https://access.redhat.com/errata/RHSA-2024:1753 |