-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-23947 #1577
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Comments
timothy-king
added
the
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
label
Feb 16, 2023
Change https://go.dev/cl/468975 mentions this issue: |
This was referenced Aug 23, 2023
This was referenced Sep 8, 2023
This was referenced Mar 18, 2024
This was referenced May 21, 2024
This was referenced Jun 7, 2024
Change https://go.dev/cl/592759 mentions this issue: |
Change https://go.dev/cl/606782 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 20, 2024
- data/reports/GO-2023-1512.yaml - data/reports/GO-2023-1520.yaml - data/reports/GO-2023-1524.yaml - data/reports/GO-2023-1527.yaml - data/reports/GO-2023-1533.yaml - data/reports/GO-2023-1541.yaml - data/reports/GO-2023-1542.yaml - data/reports/GO-2023-1543.yaml - data/reports/GO-2023-1544.yaml - data/reports/GO-2023-1550.yaml - data/reports/GO-2023-1551.yaml - data/reports/GO-2023-1552.yaml - data/reports/GO-2023-1553.yaml - data/reports/GO-2023-1554.yaml - data/reports/GO-2023-1555.yaml - data/reports/GO-2023-1560.yaml - data/reports/GO-2023-1577.yaml - data/reports/GO-2023-1581.yaml - data/reports/GO-2023-1582.yaml - data/reports/GO-2023-1583.yaml Updates #1512 Updates #1520 Updates #1524 Updates #1527 Updates #1533 Updates #1541 Updates #1542 Updates #1543 Updates #1544 Updates #1550 Updates #1551 Updates #1552 Updates #1553 Updates #1554 Updates #1555 Updates #1560 Updates #1577 Updates #1581 Updates #1582 Updates #1583 Change-Id: I6a2829acd39b6e598b81e8138e6d126128073198 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606782 Auto-Submit: Tatiana Bradley <[email protected]> Reviewed-by: Damien Neil <[email protected]> LUCI-TryBot-Result: Go LUCI <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
CVE-2023-23947 references github.com/argoproj/argo-cd, which may be a Go module.
Description:
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters). A patch for this vulnerability has been released in Argo CD versions 2.6.2, 2.5.11, 2.4.23, and 2.3.17. Two workarounds are available. Either modify the RBAC configuration to completely revoke all
clusters, update
access, or use thedestinations
andclusterResourceWhitelist
fields to apply similar restrictions as thenamespaces
andclusterResources
fields.References:
Cross references:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: