The nkeys library's "xkeys" encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing. Within the nats-server, the encryption is used for the Auth Callouts feature, introduced with 2.10.0 (September 2023). The Auth Callout request includes the supplied user password. These messages are sent within NATS, and should typically be in a dedicated NATS Account used for callouts, but this is not required. Thus in scenarios where the Callouts are in an account shared with untrusted users or where the callout responders connect without TLS, this may lead to user credential exposure. https://advisories.nats.io/CVE/secnote-2023-02.txt https://security-tracker.debian.org/tracker/CVE-2023-46129
Created golang-github-nats-io-nkeys tracking bugs for this issue: Affects: fedora-all [bug 2247715] Created nats-server tracking bugs for this issue: Affects: fedora-all [bug 2247716]
This issue has been addressed in the following products: Red Hat Openshift distributed tracing 3.0 Via RHSA-2023:7663 https://access.redhat.com/errata/RHSA-2023:7663
The CVE is related to the NATS go library, which is not used by Argo CD. The Nats go library is unused dependency of a dependency, and thus appears in the 'go.sum', but the actual library itself is not consumed and thus is not vulnerable in openshift-gitops-argocd-container.