x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-40029 #2049
Labels
excluded: NOT_IMPORTABLE
This vulnerability only exists in a binary and is not importable.
Comments
timothy-king
added
NeedsReport
excluded: NOT_IMPORTABLE
|
Change https://go.dev/cl/528596 mentions this issue: |
This was referenced Mar 18, 2024
This was referenced May 21, 2024
This was referenced Jun 7, 2024
|
Change https://go.dev/cl/592762 mentions this issue: |
|
Change https://go.dev/cl/606790 mentions this issue: |
gopherbot
pushed a commit
that referenced
this issue
Aug 21, 2024
- data/reports/GO-2023-1997.yaml - data/reports/GO-2023-1999.yaml - data/reports/GO-2023-2001.yaml - data/reports/GO-2023-2004.yaml - data/reports/GO-2023-2005.yaml - data/reports/GO-2023-2006.yaml - data/reports/GO-2023-2011.yaml - data/reports/GO-2023-2012.yaml - data/reports/GO-2023-2014.yaml - data/reports/GO-2023-2018.yaml - data/reports/GO-2023-2020.yaml - data/reports/GO-2023-2022.yaml - data/reports/GO-2023-2023.yaml - data/reports/GO-2023-2025.yaml - data/reports/GO-2023-2026.yaml - data/reports/GO-2023-2028.yaml - data/reports/GO-2023-2036.yaml - data/reports/GO-2023-2038.yaml - data/reports/GO-2023-2049.yaml - data/reports/GO-2023-2050.yaml Updates #1997 Updates #1999 Updates #2001 Updates #2004 Updates #2005 Updates #2006 Updates #2011 Updates #2012 Updates #2014 Updates #2018 Updates #2020 Updates #2022 Updates #2023 Updates #2025 Updates #2026 Updates #2028 Updates #2036 Updates #2038 Updates #2049 Updates #2050 Change-Id: Iac9a2efe688e28fa0889e8a14e9b4fea7677a197 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606790 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2023-40029 references github.com/argoproj/argo-cd, which may be a Go module.
Description:
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in
kubectl.kubernetes.io/last-applied-configurationannotation. pull request #7139 introduced the ability to manage cluster labels and annotations. Since clusters are stored as secrets it also exposes thekubectl.kubernetes.io/last-applied-configurationannotation which includes full secret body. In order to view the cluster annotations via the Argo CD API, the user must haveclusters, getRBAC access. Note: In many cases, cluster secrets do not contain any actually-secret information. But sometimes, as in bearer-token auth, the contents might be very sensitive. The bug has been patched in versions 2.8.3, 2.7.14, and 2.6.15. Users are advised to upgrade. Users unable to upgrade should update/deploy cluster secret withserver-side-applyflag which does not use or rely onkubectl.kubernetes.io/last-applied-configurationannotation. Note: annotation for existing secrets will require manual removal.References:
Cross references:
See doc/triage.md for instructions on how to triage this report.
The text was updated successfully, but these errors were encountered: