csaf_redhat - RHSA-2023:1453

RHSA-2023:1453

Vulnerability from csaf_redhat

Published

2023-03-23 18:46

Modified

2024-11-22 22:23

Summary

Red Hat Security Advisory: Red Hat OpenShift GitOps security update

Notes

Topic

An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Security Fix(es): * ArgoCD: Authenticated but unauthorized users may enumerate Application names via the API (CVE-2022-41354) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for Red Hat OpenShift GitOps 1.6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Security Fix(es):\n\n* ArgoCD: Authenticated but unauthorized users may enumerate Application names via the API (CVE-2022-41354)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2023:1453",
        "url": "https://access.redhat.com/errata/RHSA-2023:1453"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "2167820",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2167820"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2023/rhsa-2023_1453.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat OpenShift GitOps security update",
    "tracking": {
      "current_release_date": "2024-11-22T22:23:53+00:00",
      "generator": {
        "date": "2024-11-22T22:23:53+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2023:1453",
      "initial_release_date": "2023-03-23T18:46:43+00:00",
      "revision_history": [
        {
          "date": "2023-03-23T18:46:43+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2023-03-23T18:46:43+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T22:23:53+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat OpenShift GitOps 1.6",
                "product": {
                  "name": "Red Hat OpenShift GitOps 1.6",
                  "product_id": "8Base-GitOps-1.6",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_gitops:1.6::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift GitOps"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-gitops-1/argocd-rhel8@sha256:363e64753141b70b05cbe1a212aa4626cd7001e136d2a7a30ce995acefb79918_s390x",
                "product": {
                  "name": "openshift-gitops-1/argocd-rhel8@sha256:363e64753141b70b05cbe1a212aa4626cd7001e136d2a7a30ce995acefb79918_s390x",
                  "product_id": "openshift-gitops-1/argocd-rhel8@sha256:363e64753141b70b05cbe1a212aa4626cd7001e136d2a7a30ce995acefb79918_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/argocd-rhel8@sha256:363e64753141b70b05cbe1a212aa4626cd7001e136d2a7a30ce995acefb79918?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.6.6-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/gitops-rhel8@sha256:cfd94ed64a41fd2aa9c73d5f125eda68da3c6a920270eb3e2a603fae15caad11_s390x",
                "product": {
                  "name": "openshift-gitops-1/gitops-rhel8@sha256:cfd94ed64a41fd2aa9c73d5f125eda68da3c6a920270eb3e2a603fae15caad11_s390x",
                  "product_id": "openshift-gitops-1/gitops-rhel8@sha256:cfd94ed64a41fd2aa9c73d5f125eda68da3c6a920270eb3e2a603fae15caad11_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/gitops-rhel8@sha256:cfd94ed64a41fd2aa9c73d5f125eda68da3c6a920270eb3e2a603fae15caad11?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.6.6-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/dex-rhel8@sha256:74c182734ae54034b314c9b2adc0c3ef74688e3a5ec3c05b8cc0f07ef88460a4_s390x",
                "product": {
                  "name": "openshift-gitops-1/dex-rhel8@sha256:74c182734ae54034b314c9b2adc0c3ef74688e3a5ec3c05b8cc0f07ef88460a4_s390x",
                  "product_id": "openshift-gitops-1/dex-rhel8@sha256:74c182734ae54034b314c9b2adc0c3ef74688e3a5ec3c05b8cc0f07ef88460a4_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/dex-rhel8@sha256:74c182734ae54034b314c9b2adc0c3ef74688e3a5ec3c05b8cc0f07ef88460a4?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.6.6-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:99c4f2d3c76af623dcc2f362ce5342d6e3ca5f68985990347192e7757557b7b4_s390x",
                "product": {
                  "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:99c4f2d3c76af623dcc2f362ce5342d6e3ca5f68985990347192e7757557b7b4_s390x",
                  "product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:99c4f2d3c76af623dcc2f362ce5342d6e3ca5f68985990347192e7757557b7b4_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kam-delivery-rhel8@sha256:99c4f2d3c76af623dcc2f362ce5342d6e3ca5f68985990347192e7757557b7b4?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.6.6-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:04a3258fe00fe8ea9e0b48e5911a7c148f6c6dbc0cbb2d5b6d5071d0f27064b2_s390x",
                "product": {
                  "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:04a3258fe00fe8ea9e0b48e5911a7c148f6c6dbc0cbb2d5b6d5071d0f27064b2_s390x",
                  "product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:04a3258fe00fe8ea9e0b48e5911a7c148f6c6dbc0cbb2d5b6d5071d0f27064b2_s390x",
                  "product_identification_helper": {
                    "purl": "pkg:oci/gitops-rhel8-operator@sha256:04a3258fe00fe8ea9e0b48e5911a7c148f6c6dbc0cbb2d5b6d5071d0f27064b2?arch=s390x\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.6.6-1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-gitops-1/argocd-rhel8@sha256:79c519c218fd5f3ec14b2f9b263553626ca3bc05141463a5deb9814644291044_ppc64le",
                "product": {
                  "name": "openshift-gitops-1/argocd-rhel8@sha256:79c519c218fd5f3ec14b2f9b263553626ca3bc05141463a5deb9814644291044_ppc64le",
                  "product_id": "openshift-gitops-1/argocd-rhel8@sha256:79c519c218fd5f3ec14b2f9b263553626ca3bc05141463a5deb9814644291044_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/argocd-rhel8@sha256:79c519c218fd5f3ec14b2f9b263553626ca3bc05141463a5deb9814644291044?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.6.6-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/gitops-rhel8@sha256:77a0917c97f5aa5430693c00653fe066f90de786911e6b2744ed8fc2dec69e81_ppc64le",
                "product": {
                  "name": "openshift-gitops-1/gitops-rhel8@sha256:77a0917c97f5aa5430693c00653fe066f90de786911e6b2744ed8fc2dec69e81_ppc64le",
                  "product_id": "openshift-gitops-1/gitops-rhel8@sha256:77a0917c97f5aa5430693c00653fe066f90de786911e6b2744ed8fc2dec69e81_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/gitops-rhel8@sha256:77a0917c97f5aa5430693c00653fe066f90de786911e6b2744ed8fc2dec69e81?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.6.6-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/dex-rhel8@sha256:ad064ab1165f73f00ca1984a4736738a7fbfe9771ceda37043118333a6801e50_ppc64le",
                "product": {
                  "name": "openshift-gitops-1/dex-rhel8@sha256:ad064ab1165f73f00ca1984a4736738a7fbfe9771ceda37043118333a6801e50_ppc64le",
                  "product_id": "openshift-gitops-1/dex-rhel8@sha256:ad064ab1165f73f00ca1984a4736738a7fbfe9771ceda37043118333a6801e50_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/dex-rhel8@sha256:ad064ab1165f73f00ca1984a4736738a7fbfe9771ceda37043118333a6801e50?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.6.6-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:9e2d4d35ed9e9155311c4c0823ca6f471968d3c668f41d4ae6a88772fee949fa_ppc64le",
                "product": {
                  "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:9e2d4d35ed9e9155311c4c0823ca6f471968d3c668f41d4ae6a88772fee949fa_ppc64le",
                  "product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:9e2d4d35ed9e9155311c4c0823ca6f471968d3c668f41d4ae6a88772fee949fa_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kam-delivery-rhel8@sha256:9e2d4d35ed9e9155311c4c0823ca6f471968d3c668f41d4ae6a88772fee949fa?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.6.6-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:a807e500c68bc01c05cc7614adf973eb383384b5ba907be9e158fdaf76737fbe_ppc64le",
                "product": {
                  "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:a807e500c68bc01c05cc7614adf973eb383384b5ba907be9e158fdaf76737fbe_ppc64le",
                  "product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:a807e500c68bc01c05cc7614adf973eb383384b5ba907be9e158fdaf76737fbe_ppc64le",
                  "product_identification_helper": {
                    "purl": "pkg:oci/gitops-rhel8-operator@sha256:a807e500c68bc01c05cc7614adf973eb383384b5ba907be9e158fdaf76737fbe?arch=ppc64le\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.6.6-1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-gitops-1/argocd-rhel8@sha256:1bd43dbaa0b53789699d46e22280ffb314a589caa924b713c55d3ff0f3579cf3_amd64",
                "product": {
                  "name": "openshift-gitops-1/argocd-rhel8@sha256:1bd43dbaa0b53789699d46e22280ffb314a589caa924b713c55d3ff0f3579cf3_amd64",
                  "product_id": "openshift-gitops-1/argocd-rhel8@sha256:1bd43dbaa0b53789699d46e22280ffb314a589caa924b713c55d3ff0f3579cf3_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/argocd-rhel8@sha256:1bd43dbaa0b53789699d46e22280ffb314a589caa924b713c55d3ff0f3579cf3?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/argocd-rhel8\u0026tag=v1.6.6-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/gitops-rhel8@sha256:3b5b34b740ddb442af9eee77e47c009710c953cdd1c7998d946c115c71250b86_amd64",
                "product": {
                  "name": "openshift-gitops-1/gitops-rhel8@sha256:3b5b34b740ddb442af9eee77e47c009710c953cdd1c7998d946c115c71250b86_amd64",
                  "product_id": "openshift-gitops-1/gitops-rhel8@sha256:3b5b34b740ddb442af9eee77e47c009710c953cdd1c7998d946c115c71250b86_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/gitops-rhel8@sha256:3b5b34b740ddb442af9eee77e47c009710c953cdd1c7998d946c115c71250b86?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8\u0026tag=v1.6.6-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/dex-rhel8@sha256:e4a938f215d754b1de7c974b1b43e5959def4b3224907ab5fd30ca44d0c4f0bc_amd64",
                "product": {
                  "name": "openshift-gitops-1/dex-rhel8@sha256:e4a938f215d754b1de7c974b1b43e5959def4b3224907ab5fd30ca44d0c4f0bc_amd64",
                  "product_id": "openshift-gitops-1/dex-rhel8@sha256:e4a938f215d754b1de7c974b1b43e5959def4b3224907ab5fd30ca44d0c4f0bc_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/dex-rhel8@sha256:e4a938f215d754b1de7c974b1b43e5959def4b3224907ab5fd30ca44d0c4f0bc?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/dex-rhel8\u0026tag=v1.6.6-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:46fcd72037b36b4201d9b69c553efa843eeb84ccc276d42ace16c9b3ba16000e_amd64",
                "product": {
                  "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:46fcd72037b36b4201d9b69c553efa843eeb84ccc276d42ace16c9b3ba16000e_amd64",
                  "product_id": "openshift-gitops-1/kam-delivery-rhel8@sha256:46fcd72037b36b4201d9b69c553efa843eeb84ccc276d42ace16c9b3ba16000e_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/kam-delivery-rhel8@sha256:46fcd72037b36b4201d9b69c553efa843eeb84ccc276d42ace16c9b3ba16000e?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/kam-delivery-rhel8\u0026tag=v1.6.6-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/gitops-operator-bundle@sha256:b22190de3162d3e03481cae8904ce563912756eea7ac7e7feec0acbbdae5e6f6_amd64",
                "product": {
                  "name": "openshift-gitops-1/gitops-operator-bundle@sha256:b22190de3162d3e03481cae8904ce563912756eea7ac7e7feec0acbbdae5e6f6_amd64",
                  "product_id": "openshift-gitops-1/gitops-operator-bundle@sha256:b22190de3162d3e03481cae8904ce563912756eea7ac7e7feec0acbbdae5e6f6_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/gitops-operator-bundle@sha256:b22190de3162d3e03481cae8904ce563912756eea7ac7e7feec0acbbdae5e6f6?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-operator-bundle\u0026tag=v1.6.6-1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:8c7dcf0bc33c767474b7a637a6dd744b0b677011ac9cdc3471c889611e265046_amd64",
                "product": {
                  "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:8c7dcf0bc33c767474b7a637a6dd744b0b677011ac9cdc3471c889611e265046_amd64",
                  "product_id": "openshift-gitops-1/gitops-rhel8-operator@sha256:8c7dcf0bc33c767474b7a637a6dd744b0b677011ac9cdc3471c889611e265046_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/gitops-rhel8-operator@sha256:8c7dcf0bc33c767474b7a637a6dd744b0b677011ac9cdc3471c889611e265046?arch=amd64\u0026repository_url=registry.redhat.io/openshift-gitops-1/gitops-rhel8-operator\u0026tag=v1.6.6-1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/argocd-rhel8@sha256:1bd43dbaa0b53789699d46e22280ffb314a589caa924b713c55d3ff0f3579cf3_amd64 as a component of Red Hat OpenShift GitOps 1.6",
          "product_id": "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:1bd43dbaa0b53789699d46e22280ffb314a589caa924b713c55d3ff0f3579cf3_amd64"
        },
        "product_reference": "openshift-gitops-1/argocd-rhel8@sha256:1bd43dbaa0b53789699d46e22280ffb314a589caa924b713c55d3ff0f3579cf3_amd64",
        "relates_to_product_reference": "8Base-GitOps-1.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/argocd-rhel8@sha256:363e64753141b70b05cbe1a212aa4626cd7001e136d2a7a30ce995acefb79918_s390x as a component of Red Hat OpenShift GitOps 1.6",
          "product_id": "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:363e64753141b70b05cbe1a212aa4626cd7001e136d2a7a30ce995acefb79918_s390x"
        },
        "product_reference": "openshift-gitops-1/argocd-rhel8@sha256:363e64753141b70b05cbe1a212aa4626cd7001e136d2a7a30ce995acefb79918_s390x",
        "relates_to_product_reference": "8Base-GitOps-1.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/argocd-rhel8@sha256:79c519c218fd5f3ec14b2f9b263553626ca3bc05141463a5deb9814644291044_ppc64le as a component of Red Hat OpenShift GitOps 1.6",
          "product_id": "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:79c519c218fd5f3ec14b2f9b263553626ca3bc05141463a5deb9814644291044_ppc64le"
        },
        "product_reference": "openshift-gitops-1/argocd-rhel8@sha256:79c519c218fd5f3ec14b2f9b263553626ca3bc05141463a5deb9814644291044_ppc64le",
        "relates_to_product_reference": "8Base-GitOps-1.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/dex-rhel8@sha256:74c182734ae54034b314c9b2adc0c3ef74688e3a5ec3c05b8cc0f07ef88460a4_s390x as a component of Red Hat OpenShift GitOps 1.6",
          "product_id": "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:74c182734ae54034b314c9b2adc0c3ef74688e3a5ec3c05b8cc0f07ef88460a4_s390x"
        },
        "product_reference": "openshift-gitops-1/dex-rhel8@sha256:74c182734ae54034b314c9b2adc0c3ef74688e3a5ec3c05b8cc0f07ef88460a4_s390x",
        "relates_to_product_reference": "8Base-GitOps-1.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/dex-rhel8@sha256:ad064ab1165f73f00ca1984a4736738a7fbfe9771ceda37043118333a6801e50_ppc64le as a component of Red Hat OpenShift GitOps 1.6",
          "product_id": "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:ad064ab1165f73f00ca1984a4736738a7fbfe9771ceda37043118333a6801e50_ppc64le"
        },
        "product_reference": "openshift-gitops-1/dex-rhel8@sha256:ad064ab1165f73f00ca1984a4736738a7fbfe9771ceda37043118333a6801e50_ppc64le",
        "relates_to_product_reference": "8Base-GitOps-1.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/dex-rhel8@sha256:e4a938f215d754b1de7c974b1b43e5959def4b3224907ab5fd30ca44d0c4f0bc_amd64 as a component of Red Hat OpenShift GitOps 1.6",
          "product_id": "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:e4a938f215d754b1de7c974b1b43e5959def4b3224907ab5fd30ca44d0c4f0bc_amd64"
        },
        "product_reference": "openshift-gitops-1/dex-rhel8@sha256:e4a938f215d754b1de7c974b1b43e5959def4b3224907ab5fd30ca44d0c4f0bc_amd64",
        "relates_to_product_reference": "8Base-GitOps-1.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/gitops-operator-bundle@sha256:b22190de3162d3e03481cae8904ce563912756eea7ac7e7feec0acbbdae5e6f6_amd64 as a component of Red Hat OpenShift GitOps 1.6",
          "product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-operator-bundle@sha256:b22190de3162d3e03481cae8904ce563912756eea7ac7e7feec0acbbdae5e6f6_amd64"
        },
        "product_reference": "openshift-gitops-1/gitops-operator-bundle@sha256:b22190de3162d3e03481cae8904ce563912756eea7ac7e7feec0acbbdae5e6f6_amd64",
        "relates_to_product_reference": "8Base-GitOps-1.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:04a3258fe00fe8ea9e0b48e5911a7c148f6c6dbc0cbb2d5b6d5071d0f27064b2_s390x as a component of Red Hat OpenShift GitOps 1.6",
          "product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:04a3258fe00fe8ea9e0b48e5911a7c148f6c6dbc0cbb2d5b6d5071d0f27064b2_s390x"
        },
        "product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:04a3258fe00fe8ea9e0b48e5911a7c148f6c6dbc0cbb2d5b6d5071d0f27064b2_s390x",
        "relates_to_product_reference": "8Base-GitOps-1.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:8c7dcf0bc33c767474b7a637a6dd744b0b677011ac9cdc3471c889611e265046_amd64 as a component of Red Hat OpenShift GitOps 1.6",
          "product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:8c7dcf0bc33c767474b7a637a6dd744b0b677011ac9cdc3471c889611e265046_amd64"
        },
        "product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:8c7dcf0bc33c767474b7a637a6dd744b0b677011ac9cdc3471c889611e265046_amd64",
        "relates_to_product_reference": "8Base-GitOps-1.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/gitops-rhel8-operator@sha256:a807e500c68bc01c05cc7614adf973eb383384b5ba907be9e158fdaf76737fbe_ppc64le as a component of Red Hat OpenShift GitOps 1.6",
          "product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:a807e500c68bc01c05cc7614adf973eb383384b5ba907be9e158fdaf76737fbe_ppc64le"
        },
        "product_reference": "openshift-gitops-1/gitops-rhel8-operator@sha256:a807e500c68bc01c05cc7614adf973eb383384b5ba907be9e158fdaf76737fbe_ppc64le",
        "relates_to_product_reference": "8Base-GitOps-1.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/gitops-rhel8@sha256:3b5b34b740ddb442af9eee77e47c009710c953cdd1c7998d946c115c71250b86_amd64 as a component of Red Hat OpenShift GitOps 1.6",
          "product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:3b5b34b740ddb442af9eee77e47c009710c953cdd1c7998d946c115c71250b86_amd64"
        },
        "product_reference": "openshift-gitops-1/gitops-rhel8@sha256:3b5b34b740ddb442af9eee77e47c009710c953cdd1c7998d946c115c71250b86_amd64",
        "relates_to_product_reference": "8Base-GitOps-1.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/gitops-rhel8@sha256:77a0917c97f5aa5430693c00653fe066f90de786911e6b2744ed8fc2dec69e81_ppc64le as a component of Red Hat OpenShift GitOps 1.6",
          "product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:77a0917c97f5aa5430693c00653fe066f90de786911e6b2744ed8fc2dec69e81_ppc64le"
        },
        "product_reference": "openshift-gitops-1/gitops-rhel8@sha256:77a0917c97f5aa5430693c00653fe066f90de786911e6b2744ed8fc2dec69e81_ppc64le",
        "relates_to_product_reference": "8Base-GitOps-1.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/gitops-rhel8@sha256:cfd94ed64a41fd2aa9c73d5f125eda68da3c6a920270eb3e2a603fae15caad11_s390x as a component of Red Hat OpenShift GitOps 1.6",
          "product_id": "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:cfd94ed64a41fd2aa9c73d5f125eda68da3c6a920270eb3e2a603fae15caad11_s390x"
        },
        "product_reference": "openshift-gitops-1/gitops-rhel8@sha256:cfd94ed64a41fd2aa9c73d5f125eda68da3c6a920270eb3e2a603fae15caad11_s390x",
        "relates_to_product_reference": "8Base-GitOps-1.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:46fcd72037b36b4201d9b69c553efa843eeb84ccc276d42ace16c9b3ba16000e_amd64 as a component of Red Hat OpenShift GitOps 1.6",
          "product_id": "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:46fcd72037b36b4201d9b69c553efa843eeb84ccc276d42ace16c9b3ba16000e_amd64"
        },
        "product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:46fcd72037b36b4201d9b69c553efa843eeb84ccc276d42ace16c9b3ba16000e_amd64",
        "relates_to_product_reference": "8Base-GitOps-1.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:99c4f2d3c76af623dcc2f362ce5342d6e3ca5f68985990347192e7757557b7b4_s390x as a component of Red Hat OpenShift GitOps 1.6",
          "product_id": "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:99c4f2d3c76af623dcc2f362ce5342d6e3ca5f68985990347192e7757557b7b4_s390x"
        },
        "product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:99c4f2d3c76af623dcc2f362ce5342d6e3ca5f68985990347192e7757557b7b4_s390x",
        "relates_to_product_reference": "8Base-GitOps-1.6"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-gitops-1/kam-delivery-rhel8@sha256:9e2d4d35ed9e9155311c4c0823ca6f471968d3c668f41d4ae6a88772fee949fa_ppc64le as a component of Red Hat OpenShift GitOps 1.6",
          "product_id": "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:9e2d4d35ed9e9155311c4c0823ca6f471968d3c668f41d4ae6a88772fee949fa_ppc64le"
        },
        "product_reference": "openshift-gitops-1/kam-delivery-rhel8@sha256:9e2d4d35ed9e9155311c4c0823ca6f471968d3c668f41d4ae6a88772fee949fa_ppc64le",
        "relates_to_product_reference": "8Base-GitOps-1.6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2022-41354",
      "discovery_date": "2023-02-07T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:74c182734ae54034b314c9b2adc0c3ef74688e3a5ec3c05b8cc0f07ef88460a4_s390x",
            "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:ad064ab1165f73f00ca1984a4736738a7fbfe9771ceda37043118333a6801e50_ppc64le",
            "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:e4a938f215d754b1de7c974b1b43e5959def4b3224907ab5fd30ca44d0c4f0bc_amd64",
            "8Base-GitOps-1.6:openshift-gitops-1/gitops-operator-bundle@sha256:b22190de3162d3e03481cae8904ce563912756eea7ac7e7feec0acbbdae5e6f6_amd64",
            "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:04a3258fe00fe8ea9e0b48e5911a7c148f6c6dbc0cbb2d5b6d5071d0f27064b2_s390x",
            "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:8c7dcf0bc33c767474b7a637a6dd744b0b677011ac9cdc3471c889611e265046_amd64",
            "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:a807e500c68bc01c05cc7614adf973eb383384b5ba907be9e158fdaf76737fbe_ppc64le",
            "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:3b5b34b740ddb442af9eee77e47c009710c953cdd1c7998d946c115c71250b86_amd64",
            "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:77a0917c97f5aa5430693c00653fe066f90de786911e6b2744ed8fc2dec69e81_ppc64le",
            "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:cfd94ed64a41fd2aa9c73d5f125eda68da3c6a920270eb3e2a603fae15caad11_s390x",
            "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:46fcd72037b36b4201d9b69c553efa843eeb84ccc276d42ace16c9b3ba16000e_amd64",
            "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:99c4f2d3c76af623dcc2f362ce5342d6e3ca5f68985990347192e7757557b7b4_s390x",
            "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:9e2d4d35ed9e9155311c4c0823ca6f471968d3c668f41d4ae6a88772fee949fa_ppc64le"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2167820"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "ArgoCD: Authenticated but unauthorized users may enumerate Application names via the API",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:1bd43dbaa0b53789699d46e22280ffb314a589caa924b713c55d3ff0f3579cf3_amd64",
          "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:363e64753141b70b05cbe1a212aa4626cd7001e136d2a7a30ce995acefb79918_s390x",
          "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:79c519c218fd5f3ec14b2f9b263553626ca3bc05141463a5deb9814644291044_ppc64le"
        ],
        "known_not_affected": [
          "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:74c182734ae54034b314c9b2adc0c3ef74688e3a5ec3c05b8cc0f07ef88460a4_s390x",
          "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:ad064ab1165f73f00ca1984a4736738a7fbfe9771ceda37043118333a6801e50_ppc64le",
          "8Base-GitOps-1.6:openshift-gitops-1/dex-rhel8@sha256:e4a938f215d754b1de7c974b1b43e5959def4b3224907ab5fd30ca44d0c4f0bc_amd64",
          "8Base-GitOps-1.6:openshift-gitops-1/gitops-operator-bundle@sha256:b22190de3162d3e03481cae8904ce563912756eea7ac7e7feec0acbbdae5e6f6_amd64",
          "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:04a3258fe00fe8ea9e0b48e5911a7c148f6c6dbc0cbb2d5b6d5071d0f27064b2_s390x",
          "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:8c7dcf0bc33c767474b7a637a6dd744b0b677011ac9cdc3471c889611e265046_amd64",
          "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8-operator@sha256:a807e500c68bc01c05cc7614adf973eb383384b5ba907be9e158fdaf76737fbe_ppc64le",
          "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:3b5b34b740ddb442af9eee77e47c009710c953cdd1c7998d946c115c71250b86_amd64",
          "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:77a0917c97f5aa5430693c00653fe066f90de786911e6b2744ed8fc2dec69e81_ppc64le",
          "8Base-GitOps-1.6:openshift-gitops-1/gitops-rhel8@sha256:cfd94ed64a41fd2aa9c73d5f125eda68da3c6a920270eb3e2a603fae15caad11_s390x",
          "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:46fcd72037b36b4201d9b69c553efa843eeb84ccc276d42ace16c9b3ba16000e_amd64",
          "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:99c4f2d3c76af623dcc2f362ce5342d6e3ca5f68985990347192e7757557b7b4_s390x",
          "8Base-GitOps-1.6:openshift-gitops-1/kam-delivery-rhel8@sha256:9e2d4d35ed9e9155311c4c0823ca6f471968d3c668f41d4ae6a88772fee949fa_ppc64le"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2022-41354"
        },
        {
          "category": "external",
          "summary": "RHBZ#2167820",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2167820"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2022-41354",
          "url": "https://www.cve.org/CVERecord?id=CVE-2022-41354"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2022-41354",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41354"
        },
        {
          "category": "external",
          "summary": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2q5c-qw9c-fmvq",
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2q5c-qw9c-fmvq"
        }
      ],
      "release_date": "2023-03-23T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2023-03-23T18:46:43+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:1bd43dbaa0b53789699d46e22280ffb314a589caa924b713c55d3ff0f3579cf3_amd64",
            "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:363e64753141b70b05cbe1a212aa4626cd7001e136d2a7a30ce995acefb79918_s390x",
            "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:79c519c218fd5f3ec14b2f9b263553626ca3bc05141463a5deb9814644291044_ppc64le"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2023:1453"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:1bd43dbaa0b53789699d46e22280ffb314a589caa924b713c55d3ff0f3579cf3_amd64",
            "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:363e64753141b70b05cbe1a212aa4626cd7001e136d2a7a30ce995acefb79918_s390x",
            "8Base-GitOps-1.6:openshift-gitops-1/argocd-rhel8@sha256:79c519c218fd5f3ec14b2f9b263553626ca3bc05141463a5deb9814644291044_ppc64le"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "ArgoCD: Authenticated but unauthorized users may enumerate Application names via the API"
    }
  ]
}

cve-2022-41354

Vulnerability from cvelistv5

Published

2023-03-27 00:00

Modified

2025-02-19 18:46

Severity ?

Summary

An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications.

References

▼	URL	Tags
	http://argo.com
	https://github.com/chunklhit/cve/blob/master/argo/argo-cd/application_enumeration.md
	https://github.com/argoproj/argo-cd/security/advisories/GHSA-2q5c-qw9c-fmvq

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T12:42:45.688Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://argo.com"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/chunklhit/cve/blob/master/argo/argo-cd/application_enumeration.md"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2q5c-qw9c-fmvq"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-41354",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-19T18:46:13.512199Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-19T18:46:38.230Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-27T00:00:00.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "http://argo.com"
        },
        {
          "url": "https://github.com/chunklhit/cve/blob/master/argo/argo-cd/application_enumeration.md"
        },
        {
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2q5c-qw9c-fmvq"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2022-41354",
    "datePublished": "2023-03-27T00:00:00.000Z",
    "dateReserved": "2022-09-26T00:00:00.000Z",
    "dateUpdated": "2025-02-19T18:46:38.230Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted