-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40029 #2049
Labels
excluded: NOT_IMPORTABLE
This vulnerability only exists in a binary and is not importable.
Comments
timothy-king
added
NeedsReport
excluded: NOT_IMPORTABLE
This vulnerability only exists in a binary and is not importable.
and removed
NeedsReport
labels
Sep 9, 2023
Change https://go.dev/cl/528596 mentions this issue: |
This was referenced Mar 18, 2024
This was referenced May 21, 2024
This was referenced Jun 7, 2024
Change https://go.dev/cl/592762 mentions this issue: |
Change https://go.dev/cl/606790 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 21, 2024
- data/reports/GO-2023-1997.yaml - data/reports/GO-2023-1999.yaml - data/reports/GO-2023-2001.yaml - data/reports/GO-2023-2004.yaml - data/reports/GO-2023-2005.yaml - data/reports/GO-2023-2006.yaml - data/reports/GO-2023-2011.yaml - data/reports/GO-2023-2012.yaml - data/reports/GO-2023-2014.yaml - data/reports/GO-2023-2018.yaml - data/reports/GO-2023-2020.yaml - data/reports/GO-2023-2022.yaml - data/reports/GO-2023-2023.yaml - data/reports/GO-2023-2025.yaml - data/reports/GO-2023-2026.yaml - data/reports/GO-2023-2028.yaml - data/reports/GO-2023-2036.yaml - data/reports/GO-2023-2038.yaml - data/reports/GO-2023-2049.yaml - data/reports/GO-2023-2050.yaml Updates #1997 Updates #1999 Updates #2001 Updates #2004 Updates #2005 Updates #2006 Updates #2011 Updates #2012 Updates #2014 Updates #2018 Updates #2020 Updates #2022 Updates #2023 Updates #2025 Updates #2026 Updates #2028 Updates #2036 Updates #2038 Updates #2049 Updates #2050 Change-Id: Iac9a2efe688e28fa0889e8a14e9b4fea7677a197 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606790 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2023-40029 references github.com/argoproj/argo-cd, which may be a Go module.
Description:
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in
kubectl.kubernetes.io/last-applied-configuration
annotation. pull request #7139 introduced the ability to manage cluster labels and annotations. Since clusters are stored as secrets it also exposes thekubectl.kubernetes.io/last-applied-configuration
annotation which includes full secret body. In order to view the cluster annotations via the Argo CD API, the user must haveclusters, get
RBAC access. Note: In many cases, cluster secrets do not contain any actually-secret information. But sometimes, as in bearer-token auth, the contents might be very sensitive. The bug has been patched in versions 2.8.3, 2.7.14, and 2.6.15. Users are advised to upgrade. Users unable to upgrade should update/deploy cluster secret withserver-side-apply
flag which does not use or rely onkubectl.kubernetes.io/last-applied-configuration
annotation. Note: annotation for existing secrets will require manual removal.References:
Cross references:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: