x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40026

[GoVulnBot]

CVE-2023-40026 references github.com/argoproj/argo-cd, which may be a Go module.

Description:
Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or files from the referenced Helm Chart. This was possible because Helm paths were predictable. The vulnerability worked by adding a Helm chart that referenced Helm resources from predictable paths. Because the paths of Helm charts were predictable and available on an instance of repo-server, it was possible to reference and then render the values and resources from other existing Helm charts regardless of permissions. While generally, secrets are not stored in these files, it was nevertheless possible to reference any values from these charts. This issue was fixed in Argo CD 2.3 and subsequent versions by randomizing Helm paths. User's still using Argo CD 2.3 or below are advised to update to a supported version. If this is not possible, disabling Helm chart rendering, or using an additional repo-server for each Helm chart would prevent possible exploitation.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-40026
• JSON: https://github.com/CVEProject/cvelist/tree/119aa8cc5cfa927aa89f1d982d949f918860bc4d/2023/40xxx/CVE-2023-40026.json
• advisory: GHSA-6jqw-jwf5-rp8h
• web: https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions
• Imported by: https://pkg.go.dev/github.com/argoproj/argo-cd?tab=importedby

Cross references:

• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24348 #304 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24730 #357 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24731 #358 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24768 #359 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-6w87-g839-9wv7 #387 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24904 #453 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-24905 #454 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-29165 #455 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31016 #495 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31034 #497 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31035 #498 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31036 #499 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-1025 #516 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31102 #517 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31105 #518 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/util/session: GHSA-vj54-cjrx-x696 #882 NOT_IMPORTABLE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/util/cache: GHSA-xcqr-9h24-vrgw #892 NOT_IMPORTABLE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-6p4m-hw2h-6gmw #1512 NOT_IMPORTABLE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-q9hr-j4rf-8fjc #1520 NOT_IMPORTABLE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-23947 #1577 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-2q5c-qw9c-fmvq #1670 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: GHSA-c8xw-vjgf-94hr #2018 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40029 #2049 NOT_IMPORTABLE
• Module github.com/argoproj/argo-cd appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40584 #2050 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/argoproj/argo-cd
      vulnerable_at: 1.8.6
      packages:
        - package: argo-cd
description: |-
    Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo
    CD versions prior to 2.3 (starting at least in v0.1.0, but likely in any version
    using Helm before 2.3), using a specifically-crafted Helm file could reference
    external Helm charts handled by the same repo-server to leak values, or files
    from the referenced Helm Chart. This was possible because Helm paths were
    predictable. The vulnerability worked by adding a Helm chart that referenced
    Helm resources from predictable paths. Because the paths of Helm charts were
    predictable and available on an instance of repo-server, it was possible to
    reference and then render the values and resources from other existing Helm
    charts regardless of permissions. While generally, secrets are not stored in
    these files, it was nevertheless possible to reference any values from these
    charts. This issue was fixed in Argo CD 2.3 and subsequent versions by
    randomizing Helm paths. User's still using Argo CD 2.3 or below are advised to
    update to a supported version. If this is not possible, disabling Helm chart
    rendering, or using an additional repo-server for each Helm chart would prevent
    possible exploitation.
cves:
    - CVE-2023-40026
references:
    - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-6jqw-jwf5-rp8h
    - web: https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions

[jba]

Vulnerability in tool.

[gopherbot]

Change https://go.dev/cl/531705 mentions this issue: data/excluded: batch add 18 excluded reports

[jba]

Duplicate of #2085