GHSA-2gvw-w6fj-7m3c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-2gvw-w6fj-7m3c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-2gvw-w6fj-7m3c/GHSA-2gvw-w6fj-7m3c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-2gvw-w6fj-7m3c
- Aliases
- Related
- Published
- 2024-04-15T20:20:50Z
- Modified
- 2024-06-04T16:56:42.670164Z
- Severity
-
- 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Argo CD's API server does not enforce project sourceNamespaces
- Details
-
Impact
I can convince the UI to let me do things with an invalid Application. 1. Admin gives me
p, michael, applications, *, demo/*, allow, wheredemocan just deploy to thedemonamespace 2. Admin gives me AppProjectdevwhich reconciles from nsdev-apps3. Admin gives mep, michael, applications, sync, dev/*, allow, i.e. no updating via the UI allowed, gitops-only 4. I create an Application calledpwnindev-appswith project dev and sync the app with sources from git 5. I change the Application’s project to demo via kubectl or gitops (whichever mechanism my admins have given me, because it should be safe) 6. I use the UI to edit the resource which should only be mutable via gitopsPatches
A patch for this vulnerability has been released in the following Argo CD versions:
v2.10.7 v2.9.12 v2.8.16
For more information
If you have any questions or comments about this advisory:
Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd
Credits
This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)
The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
- Database specific
{ "nvd_published_at": "2024-04-15T20:15:11Z", "cwe_ids": [ "CWE-863" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-04-15T20:20:50Z" }- References
-
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c
- https://nvd.nist.gov/vuln/detail/CVE-2024-31990
- https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c
- https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5
- https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17
- https://github.com/argoproj/argo-cd
Affected packages
Go / github.com/argoproj/argo-cd/v2
Package
- Name
- github.com/argoproj/argo-cd/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/argoproj/argo-cd/v2
Go / github.com/argoproj/argo-cd/v2
Package
- Name
- github.com/argoproj/argo-cd/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/argoproj/argo-cd/v2
Go / github.com/argoproj/argo-cd/v2
Package
- Name
- github.com/argoproj/argo-cd/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/argoproj/argo-cd/v2