GHSA-2gvw-w6fj-7m3c
- Source
- https://github.com/advisories/GHSA-2gvw-w6fj-7m3c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-2gvw-w6fj-7m3c/GHSA-2gvw-w6fj-7m3c.json
- Aliases
- Published
- 2024-04-15T20:20:50Z
- Modified
- 2024-04-17T08:11:41.186619Z
- Details
-
Impact
I can convince the UI to let me do things with an invalid Application. 1. Admin gives me
p, michael, applications, *, demo/*, allow, wheredemocan just deploy to thedemonamespace 2. Admin gives me AppProjectdevwhich reconciles from nsdev-apps3. Admin gives mep, michael, applications, sync, dev/*, allow, i.e. no updating via the UI allowed, gitops-only 4. I create an Application calledpwnindev-appswith project dev and sync the app with sources from git 5. I change the Application’s project to demo via kubectl or gitops (whichever mechanism my admins have given me, because it should be safe) 6. I use the UI to edit the resource which should only be mutable via gitopsPatches
A patch for this vulnerability has been released in the following Argo CD versions:
v2.10.7 v2.9.12 v2.8.16
For more information
If you have any questions or comments about this advisory:
Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd
Credits
This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)
The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
- References
-
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c
- https://nvd.nist.gov/vuln/detail/CVE-2024-31990
- https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c
- https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5
- https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17
- https://github.com/argoproj/argo-cd