-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift GitOps security update Advisory ID: RHSA-2022:5192-01 Product: Red Hat OpenShift GitOps Advisory URL: https://access.redhat.com/errata/RHSA-2022:5192 Issue date: 2022-06-24 CVE Names: CVE-2018-25032 CVE-2022-1271 CVE-2022-31016 CVE-2022-31034 CVE-2022-31035 CVE-2022-31036 ===================================================================== 1. Summary: An update is now available for Red Hat OpenShift GitOps 1.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat Openshift GitOps is a declarative way to implement continuous deployment for cloud native applications. Security Fix(es): * argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI. (CVE-2022-31034) * argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI (CVE-2022-31035) * argocd: vulnerable to an uncontrolled memory consumption bug (CVE-2022-31016) * argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access (CVE-2022-31036) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 2096278 - CVE-2022-31035 argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI 2096282 - CVE-2022-31034 argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI. 2096283 - CVE-2022-31016 argocd: vulnerable to an uncontrolled memory consumption bug 2096291 - CVE-2022-31036 argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access 5. References: https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-31016 https://access.redhat.com/security/cve/CVE-2022-31034 https://access.redhat.com/security/cve/CVE-2022-31035 https://access.redhat.com/security/cve/CVE-2022-31036 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYrZYPdzjgjWX9erEAQjrKg//fhNsc37/PGObQ+ILtKev6tbnelvEZXen q4eqQw+qbj2BXJyBVudmB1yrnMYc5ZcQViuQwAbhFafexFR5b6UjGr+g8x+5lSIq o/RBisD/Ob7/uavZua+ZzRutE3ER/f5YVK86AvK5cbk8hAlTtL0UN7RlFictYW+0 hld0OyTXKUioPgwjZagQX7fhcyAKJsMIpnG8jZfygSsDje0fIDAHsyPfPGVWibUM 1mRE9x618hFD+Dml70BpXE5X2CTnyfIQbWtPmR3KX5muhnh64zpNk3jGHhtjIqI9 zT7CLR8o5Dvr6/n+HLT4WjPmfLiX2Hbo7fe4e4y2xdfkjDXPw4HoLr9ZF30FplG1 eMhXCBWqyGYcYWh77lZlFLLQaz/ZE5pf7DxqwGzWBUUVrBFEJ+bIQKjB/y6WavnC rxCboZoqRifcvyKM1mDUcBK9YO14j9GXwb2Xu1IK7Z92RXZzZxIyRmJNRZDMzGF9 uWxqBXbuSF/eRQFrRhJn8aeVzzxPMiqe/nRa1JsXJdMD8gyefVPloAVeRNx/0EbO 4CpG2IGmQevfFx+E1ADM0X72TE0Bm1nzTSEd6D4i2DiA/NyYo2Ape3In9lHg8qYV XtcXBwBe14OJca+iAYTr3hMF/xzrCtfGd/lyf4ikQUMDWaNi2ixzA28MejDFJ0yl 8b5s087AQwk= =FmJg -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce