Bug 2167820 (CVE-2022-41354) - CVE-2022-41354 ArgoCD: Authenticated but unauthorized users may enumerate Application names via the API
Summary: CVE-2022-41354 ArgoCD: Authenticated but unauthorized users may enumerate App...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-41354
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2167489
TreeView+ depends on / blocked
 
Reported: 2023-02-07 16:11 UTC by Marco Benatto
Modified: 2023-03-23 22:47 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges.
Clone Of:
Environment:
Last Closed: 2023-03-23 22:47:00 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1452 0 None None None 2023-03-23 18:40:44 UTC
Red Hat Product Errata RHSA-2023:1453 0 None None None 2023-03-23 18:46:48 UTC
Red Hat Product Errata RHSA-2023:1454 0 None None None 2023-03-23 19:11:14 UTC

Description Marco Benatto 2023-02-07 16:11:34 UTC 
All versions of Argo CD starting with v0.5.0 are vulnerable to an information disclosure bug allowing unauthorized users to enumerate application names by inspecting API error messages. An attacker could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges (social engineering).
Comment 7 errata-xmlrpc 2023-03-23 18:40:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.8

Via RHSA-2023:1452 https://access.redhat.com/errata/RHSA-2023:1452
Comment 8 errata-xmlrpc 2023-03-23 18:46:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.6

Via RHSA-2023:1453 https://access.redhat.com/errata/RHSA-2023:1453
Comment 9 errata-xmlrpc 2023-03-23 19:11:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.7

Via RHSA-2023:1454 https://access.redhat.com/errata/RHSA-2023:1454
Comment 10 Product Security DevOps Team 2023-03-23 22:46:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41354
Note You need to log in before you can comment on or make changes to this bug.