Headline
RHSA-2023:1452: Red Hat Security Advisory: Red Hat OpenShift GitOps security update
An update is now available for Red Hat OpenShift GitOps 1.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2022-41354: An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges.
Issued:
2023-03-23
Updated:
2023-03-23
RHSA-2023:1452 - Security Advisory
- Overview
- Updated Images
Synopsis
Moderate: Red Hat OpenShift GitOps security update
Type/Severity
Security Advisory: Moderate
Topic
An update is now available for Red Hat OpenShift GitOps 1.8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Security Fix(es):
- ArgoCD: Authenticated but unauthorized users may enumerate Application names via the API (CVE-2022-41354)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat OpenShift GitOps 1.8 x86_64
- Red Hat OpenShift GitOps for IBM Power, little endian 1.8 ppc64le
- Red Hat OpenShift GitOps for IBM Z and LinuxONE 1.8 s390x
- Red Hat OpenShift GitOps for ARM 64 1.8 aarch64
Fixes
- BZ - 2167820 - CVE-2022-41354 ArgoCD: Authenticated but unauthorized users may enumerate Application names via the API
aarch64
openshift-gitops-1/argocd-rhel8@sha256:f59359e26a0cc57d4e3abe640284c7ba980e72b830f480fa91825c88ecd062e4
openshift-gitops-1/console-plugin-rhel8@sha256:1ab2110a22912acf77fdf8dbfd801cfffea1bed67715629cfdc03e23c882d318
openshift-gitops-1/dex-rhel8@sha256:6bc1a6010682bd80ae100455a934a92f37b13f70afa1038c8d8f10ec39727ee7
openshift-gitops-1/gitops-rhel8@sha256:21fdf98c4ba9c28533c02067dab1ef59f109d925650eeeaddec508f34d632b0d
openshift-gitops-1/gitops-rhel8-operator@sha256:86160eb773563bde3f59fef387fe50ede0bb5108f711aa1759bd48f557b72b99
openshift-gitops-1/kam-delivery-rhel8@sha256:5b80dc7f0c607134f663ca082df07c159ddacb688c6252dbc2f535bc1e825746
ppc64le
openshift-gitops-1/argocd-rhel8@sha256:aae43c32dc5da71ba9be9efd495ccde25535cdbbe1d78917f48d8fcfed269222
openshift-gitops-1/console-plugin-rhel8@sha256:fcd81ad2a1751443844553a0900a2dceae7e92843c97cd6aa3305560a976ca67
openshift-gitops-1/dex-rhel8@sha256:4db889fd9eb4c451d086f5f79f5eb850379f8a3f35c5fe67e47c538bdfbb8b1f
openshift-gitops-1/gitops-rhel8@sha256:e317827fc5621773fcd6cb653aca9e09a300999d427ee11f449812a5eb30bd64
openshift-gitops-1/gitops-rhel8-operator@sha256:50c624fe3202213c4192a430edbebb00a3b00d492d6aee264acd7894a03b8e5d
openshift-gitops-1/kam-delivery-rhel8@sha256:6a5619fee1fd7b916e32c0d263622ad11e35fb8f51d5adff05867337af78112b
s390x
openshift-gitops-1/argocd-rhel8@sha256:1adeecbe2a1b13b1ccbaca6de748eebea17612c78ffaa45274dcb564e6997524
openshift-gitops-1/console-plugin-rhel8@sha256:6af1ef2d889dc40c21a1c277955a50bad53a612cb774b82718e1ffc042dc0bd7
openshift-gitops-1/dex-rhel8@sha256:1f467badefe68f76de6da239a2ce7e7933b298d289738df1080d8d0c40a7349b
openshift-gitops-1/gitops-rhel8@sha256:eaf99c68a30acc85c02741572210811da7d34b7af728a29bef2b684bcc82a5e4
openshift-gitops-1/gitops-rhel8-operator@sha256:7fb57dec46089f14b40b58a59bb3e007d2631e6afe2b210b8898be04d8d86459
openshift-gitops-1/kam-delivery-rhel8@sha256:3aa62b6fd14d01200a4d92562ad91dee37a555968a451ceefb101df259d95a91
x86_64
openshift-gitops-1/argocd-rhel8@sha256:eee39439704ffea3376cdd686392dedb4e5ed25280e217167b8b2223286a3f32
openshift-gitops-1/console-plugin-rhel8@sha256:2eabb947c4943a288c1c549ee601c853d138107414142c43be82b007af0bb9ce
openshift-gitops-1/dex-rhel8@sha256:6346a5027982d911aa5cadc0a2b6d77b76a76a7563fa67e91395e1ba0e554019
openshift-gitops-1/gitops-operator-bundle@sha256:273dcda07cdc475069a1dd41ecb2a91c51b2648f94eff57e9fd7e2e6aff75623
openshift-gitops-1/gitops-rhel8@sha256:b119feb01e5b2a97e9bd36ecca931cefaf154936110744b5b89968fddc2d9fef
openshift-gitops-1/gitops-rhel8-operator@sha256:f79bccbc97918a25339de9637fdba1f3362d6812d89a41c2a60e1d4264dfefca
openshift-gitops-1/kam-delivery-rhel8@sha256:3b228ebc41380285e3a91ab57a7a55112092d6d65cf8afb025847055517c719e
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications.
Red Hat Security Advisory 2023-1453-01 - An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Moderate.
Red Hat Security Advisory 2023-1454-01 - An update is now available for Red Hat OpenShift GitOps 1.7. Red Hat Product Security has rated this update as having a security impact of Moderate.
Red Hat Security Advisory 2023-1452-01 - An update is now available for Red Hat OpenShift GitOps 1.8. Red Hat Product Security has rated this update as having a security impact of Moderate.
### Impact All versions of Argo CD starting with v0.5.0 are vulnerable to an information disclosure bug allowing unauthorized users to enumerate application names by inspecting API error messages. An attacker could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges (social engineering). Many Argo CD API endpoints accept an application name as the only parameter. Since Argo CD RBAC requires both the application name and its configured project name (and, if apps-in-any-namespace is enabled, the application's namespace), Argo CD fetches the requested application before performing the RBAC check. If the application does not exist, the API returns a "not found". If the application does exist, and the user does not have access, the API returns an "unauthorized" error. By trial and error, an attacker can infer which applications exist ...
An update is now available for Red Hat OpenShift GitOps 1.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41354: An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant ...
An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41354: An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant ...