x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-23947 #1577
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE
This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Comments
timothy-king
added
the
excluded: EFFECTIVELY_PRIVATE
|
Change https://go.dev/cl/468975 mentions this issue: |
This was referenced Aug 23, 2023
This was referenced Sep 8, 2023
This was referenced Mar 18, 2024
This was referenced May 21, 2024
This was referenced Jun 7, 2024
|
Change https://go.dev/cl/592759 mentions this issue: |
|
Change https://go.dev/cl/606782 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 20, 2024
- data/reports/GO-2023-1512.yaml - data/reports/GO-2023-1520.yaml - data/reports/GO-2023-1524.yaml - data/reports/GO-2023-1527.yaml - data/reports/GO-2023-1533.yaml - data/reports/GO-2023-1541.yaml - data/reports/GO-2023-1542.yaml - data/reports/GO-2023-1543.yaml - data/reports/GO-2023-1544.yaml - data/reports/GO-2023-1550.yaml - data/reports/GO-2023-1551.yaml - data/reports/GO-2023-1552.yaml - data/reports/GO-2023-1553.yaml - data/reports/GO-2023-1554.yaml - data/reports/GO-2023-1555.yaml - data/reports/GO-2023-1560.yaml - data/reports/GO-2023-1577.yaml - data/reports/GO-2023-1581.yaml - data/reports/GO-2023-1582.yaml - data/reports/GO-2023-1583.yaml Updates #1512 Updates #1520 Updates #1524 Updates #1527 Updates #1533 Updates #1541 Updates #1542 Updates #1543 Updates #1544 Updates #1550 Updates #1551 Updates #1552 Updates #1553 Updates #1554 Updates #1555 Updates #1560 Updates #1577 Updates #1581 Updates #1582 Updates #1583 Change-Id: I6a2829acd39b6e598b81e8138e6d126128073198 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606782 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2023-23947 references github.com/argoproj/argo-cd, which may be a Go module.
Description:
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters). A patch for this vulnerability has been released in Argo CD versions 2.6.2, 2.5.11, 2.4.23, and 2.3.17. Two workarounds are available. Either modify the RBAC configuration to completely revoke all
clusters, updateaccess, or use thedestinationsandclusterResourceWhitelistfields to apply similar restrictions as thenamespacesandclusterResourcesfields.References:
Cross references:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: