CVSS: 8.3EPSS: 0%CPEs: 4EXPL: 0CVE-2022-31034 – Insecure entropy in argo-cd
https://notcve.org/view.php?id=CVE-2022-31034
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v0.11.0 are vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or UI. The vulnerabilities are due to the use of insufficiently random values in parameters in Oauth2/OIDC login flows. In each case, using a relatively-predictable (time-based) seed in a non-cryptographically-secure pseudo-random number generator made the parameter less random than required by the relevant spec or by general best practices. In some cases, using too short a value made the entropy even less sufficient. • https://github.com/argoproj/argo-cd/commit/17f7f4f462bdb233e1b9b36f67099f41052d8cb0 https://github.com/argoproj/argo-cd/security/advisories/GHSA-2m7h-86qq-fp4v https://access.redhat.com/security/cve/CVE-2022-31034 https://bugzilla.redhat.com/show_bug.cgi?id=2096282 • CWE-330: Use of Insufficiently Random Values CWE-331: Insufficient Entropy CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2022-31035 – External URLs for Deployments can include javascript in argo-cd
https://notcve.org/view.php?id=CVE-2022-31035
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a `javascript:` link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). The script would be capable of doing anything which is possible in the UI or via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in the following Argo CD versions: v2.4.1, v2.3.5, v2.2.10 and v2.1.16. • https://argo-cd.readthedocs.io/en/stable/user-guide/external-url https://github.com/argoproj/argo-cd/commit/8bc3ef690de29c68a36f473908774346a44d4038 https://github.com/argoproj/argo-cd/security/advisories/GHSA-h4w9-6x78-8vrj https://access.redhat.com/security/cve/CVE-2022-31035 https://bugzilla.redhat.com/show_bug.cgi?id=2096278 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2022-31036 – Symlink following allows leaking out-of-bounds YAML files from Argo CD repo-server
https://notcve.org/view.php?id=CVE-2022-31036
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v1.3.0 are vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive YAML files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a Helm-type Application may commit a symlink which points to an out-of-bounds file. If the target file is a valid YAML file, the attacker can read the contents of that file. Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any YAML-formatted secrets which have been mounted as files on the repo-server. • https://github.com/argoproj/argo-cd/commit/04c305396458508a31d03d44afea07b1c620d7cd https://github.com/argoproj/argo-cd/security/advisories/GHSA-q4w5-4gq2-98vm https://access.redhat.com/security/cve/CVE-2022-31036 https://bugzilla.redhat.com/show_bug.cgi?id=2096291 • CWE-20: Improper Input Validation CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-61: UNIX Symbolic Link (Symlink) Following •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-29165 – Argo CD will blindly trust JWT claims if anonymous access is enabled
https://notcve.org/view.php?id=CVE-2022-29165
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A critical vulnerability has been discovered in Argo CD starting with version 1.4.0 and prior to versions 2.1.15, 2.2.9, and 2.3.4 which would allow unauthenticated users to impersonate as any Argo CD user or role, including the `admin` user, by sending a specifically crafted JSON Web Token (JWT) along with the request. In order for this vulnerability to be exploited, anonymous access to the Argo CD instance must have been enabled. In a default Argo CD installation, anonymous access is disabled. The vulnerability can be exploited to impersonate as any user or role, including the built-in `admin` account regardless of whether it is enabled or disabled. • https://github.com/argoproj/argo-cd/releases/tag/v2.1.15 https://github.com/argoproj/argo-cd/releases/tag/v2.2.9 https://github.com/argoproj/argo-cd/releases/tag/v2.3.4 https://github.com/argoproj/argo-cd/security/advisories/GHSA-r642-gv9p-2wjj https://access.redhat.com/security/cve/CVE-2022-29165 https://bugzilla.redhat.com/show_bug.cgi?id=2081686 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-287: Improper Authentication CWE-290: Authentication Bypass by Spoofing CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2022-24904 – Symlink following allows leaking out-of-bound manifests and JSON files from Argo CD repo-server
https://notcve.org/view.php?id=CVE-2022-24904
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.7.0 and prior to versions 2.1.15m 2.2.9, and 2.3.4 is vulnerable to a symlink following bug allowing a malicious user with repository write access to leak sensitive files from Argo CD's repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server. A patch for this vulnerability has been released in Argo CD versions 2.3.4, 2.2.9, and 2.1.15. • https://github.com/argoproj/argo-cd/releases/tag/v2.1.15 https://github.com/argoproj/argo-cd/releases/tag/v2.2.9 https://github.com/argoproj/argo-cd/releases/tag/v2.3.4 https://github.com/argoproj/argo-cd/security/advisories/GHSA-6gcg-hp2x-q54h https://access.redhat.com/security/cve/CVE-2022-24904 https://bugzilla.redhat.com/show_bug.cgi?id=2081691 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-61: UNIX Symbolic Link (Symlink) Following CWE-787: Out-of-bounds Write •