Synopsis
Important: Red Hat OpenShift GitOps security update
Type/Severity
Security Advisory: Important
Topic
An update is now available for Red Hat OpenShift GitOps 1.3 on OpenShift 4.6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications.
Security Fix(es):
- argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI. (CVE-2022-31034)
- argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI (CVE-2022-31035)
- argocd: vulnerable to an uncontrolled memory consumption bug (CVE-2022-31016)
- argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access (CVE-2022-31036)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
-
Red Hat OpenShift GitOps 1.3 x86_64
Fixes
-
BZ - 2096278
- CVE-2022-31035 argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI
-
BZ - 2096282
- CVE-2022-31034 argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.
-
BZ - 2096283
- CVE-2022-31016 argocd: vulnerable to an uncontrolled memory consumption bug
-
BZ - 2096291
- CVE-2022-31036 argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access