x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40584 #2050
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Comments
timothy-king
added
NeedsInvestigation
excluded: EFFECTIVELY_PRIVATE
|
Change https://go.dev/cl/527176 mentions this issue: |
This was referenced Mar 18, 2024
This was referenced May 21, 2024
This was referenced Jun 7, 2024
|
Change https://go.dev/cl/592762 mentions this issue: |
|
Change https://go.dev/cl/606790 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 21, 2024
- data/reports/GO-2023-1997.yaml - data/reports/GO-2023-1999.yaml - data/reports/GO-2023-2001.yaml - data/reports/GO-2023-2004.yaml - data/reports/GO-2023-2005.yaml - data/reports/GO-2023-2006.yaml - data/reports/GO-2023-2011.yaml - data/reports/GO-2023-2012.yaml - data/reports/GO-2023-2014.yaml - data/reports/GO-2023-2018.yaml - data/reports/GO-2023-2020.yaml - data/reports/GO-2023-2022.yaml - data/reports/GO-2023-2023.yaml - data/reports/GO-2023-2025.yaml - data/reports/GO-2023-2026.yaml - data/reports/GO-2023-2028.yaml - data/reports/GO-2023-2036.yaml - data/reports/GO-2023-2038.yaml - data/reports/GO-2023-2049.yaml - data/reports/GO-2023-2050.yaml Updates #1997 Updates #1999 Updates #2001 Updates #2004 Updates #2005 Updates #2006 Updates #2011 Updates #2012 Updates #2014 Updates #2018 Updates #2020 Updates #2022 Updates #2023 Updates #2025 Updates #2026 Updates #2028 Updates #2036 Updates #2038 Updates #2049 Updates #2050 Change-Id: Iac9a2efe688e28fa0889e8a14e9b4fea7677a197 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606790 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2023-40584 references github.com/argoproj/argo-cd, which may be a Go module.
Description:
Argo CD is a declarative continuous deployment for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file without validating the size of its inner files. As a result, a malicious, low-privileged user can send a malicious tar.gz file that exploits this vulnerability to the repo-server, thereby harming the system's functionality and availability. Additionally, the repo-server is susceptible to another vulnerability due to the fact that it does not check the extracted file permissions before attempting to delete them. Consequently, an attacker can craft a malicious tar.gz archive in a way that prevents the deletion of its inner files when the manifest generation process is completed. A patch for this vulnerability has been released in versions 2.6.15, 2.7.14, and 2.8.3. Users are advised to upgrade. The only way to completely resolve the issue is to upgrade, however users unable to upgrade should configure RBAC (Role-Based Access Control) and provide access for configuring applications only to a limited number of administrators. These administrators should utilize trusted and verified Helm charts.
References:
Cross references:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: