{"id":26291,"date":"2022-06-27T22:30:00","date_gmt":"2022-06-27T18:30:00","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167586\/RHSA-2022-5192-01.txt"},"modified":"2022-07-13T10:52:56","modified_gmt":"2022-07-13T06:22:56","slug":"red-hat-security-advisory-2022-5192-01","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/red-hat-security-advisory-2022-5192-01\/","title":{"rendered":"Red Hat Security Advisory 2022-5192-01"},"content":{"rendered":"<p dir=\"ltr\">&#8212;&#8211;BEGIN PGP SIGNED MESSAGE&#8212;&#8211;<br \/>\nHash: SHA256<\/p>\n<p dir=\"ltr\">=====================================================================<br \/>\nRed Hat Security Advisory<\/p>\n<p dir=\"ltr\">Synopsis: Important: Red Hat OpenShift GitOps security update<br \/>\nAdvisory ID: RHSA-2022:5192-01<br \/>\nProduct: Red Hat OpenShift GitOps<br \/>\nAdvisory URL: https:\/\/access.redhat.com\/errata\/RHSA-2022:5192<br \/>\nIssue date: 2022-06-24<br \/>\nCVE Names: CVE-2018-25032 CVE-2022-1271 CVE-2022-31016<br \/>\nCVE-2022-31034 CVE-2022-31035 CVE-2022-31036<br \/>\n=====================================================================<\/p>\n<p dir=\"ltr\">1. Summary:<\/p>\n<p dir=\"ltr\">An update is now available for Red Hat OpenShift GitOps 1.3.<\/p>\n<p dir=\"ltr\">Red Hat Product Security has rated this update as having a security impact<br \/>\nof Important. A Common Vulnerability Scoring System (CVSS) base score,<br \/>\nwhich gives a detailed severity rating, is available for each vulnerability<br \/>\nfrom the CVE link(s) in the References section.<\/p>\n<p dir=\"ltr\">2. Description:<\/p>\n<p dir=\"ltr\">Red Hat Openshift GitOps is a declarative way to implement continuous<br \/>\ndeployment for cloud native applications.<\/p>\n<p dir=\"ltr\">Security Fix(es):<\/p>\n<p dir=\"ltr\">* argocd: vulnerable to a variety of attacks when an SSO login is initiated<br \/>\nfrom the Argo CD CLI or the UI. (CVE-2022-31034)<\/p>\n<p dir=\"ltr\">* argocd: cross-site scripting (XSS) allow a malicious user to inject a<br \/>\njavascript link in the UI (CVE-2022-31035)<\/p>\n<p dir=\"ltr\">* argocd: vulnerable to an uncontrolled memory consumption bug<br \/>\n(CVE-2022-31016)<\/p>\n<p dir=\"ltr\">* argocd: vulnerable to a symlink following bug allowing a malicious user<br \/>\nwith repository write access (CVE-2022-31036)<\/p>\n<p dir=\"ltr\">For more details about the security issue(s), including the impact, a CVSS<br \/>\nscore, acknowledgments, and other related information, refer to the CVE<br \/>\npage(s) listed in the References section.<\/p>\n<p dir=\"ltr\">3. Solution:<\/p>\n<p dir=\"ltr\">For details on how to apply this update, which includes the changes<br \/>\ndescribed in this advisory, refer to:<\/p>\n<p dir=\"ltr\">https:\/\/access.redhat.com\/articles\/11258<\/p>\n<p dir=\"ltr\">4. Bugs fixed (https:\/\/bugzilla.redhat.com\/):<\/p>\n<p dir=\"ltr\">2096278 &#8211; CVE-2022-31035 argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI<br \/>\n2096282 &#8211; CVE-2022-31034 argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI.<br \/>\n2096283 &#8211; CVE-2022-31016 argocd: vulnerable to an uncontrolled memory consumption bug<br \/>\n2096291 &#8211; CVE-2022-31036 argocd: vulnerable to a symlink following bug allowing a malicious user with repository write access<\/p>\n<p dir=\"ltr\">5. References:<\/p>\n<p dir=\"ltr\">https:\/\/access.redhat.com\/security\/cve\/CVE-2018-25032<br \/>\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-1271<br \/>\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-31016<br \/>\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-31034<br \/>\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-31035<br \/>\nhttps:\/\/access.redhat.com\/security\/cve\/CVE-2022-31036<br \/>\nhttps:\/\/access.redhat.com\/security\/updates\/classification\/#important<\/p>\n<p dir=\"ltr\">6. Contact:<\/p>\n<p dir=\"ltr\">The Red Hat security contact is &lt;secalert@redhat.com&gt;. More contact<br \/>\ndetails at https:\/\/access.redhat.com\/security\/team\/contact\/<\/p>\n<p dir=\"ltr\">Copyright 2022 Red Hat, Inc.<br \/>\n&#8212;&#8211;BEGIN PGP SIGNATURE&#8212;&#8211;<br \/>\nVersion: GnuPG v1<\/p>\n<p dir=\"ltr\">iQIVAwUBYrZYPdzjgjWX9erEAQjrKg\/\/fhNsc37\/PGObQ+ILtKev6tbnelvEZXen<br \/>\nq4eqQw+qbj2BXJyBVudmB1yrnMYc5ZcQViuQwAbhFafexFR5b6UjGr+g8x+5lSIq<br \/>\no\/RBisD\/Ob7\/uavZua+ZzRutE3ER\/f5YVK86AvK5cbk8hAlTtL0UN7RlFictYW+0<br \/>\nhld0OyTXKUioPgwjZagQX7fhcyAKJsMIpnG8jZfygSsDje0fIDAHsyPfPGVWibUM<br \/>\n1mRE9x618hFD+Dml70BpXE5X2CTnyfIQbWtPmR3KX5muhnh64zpNk3jGHhtjIqI9<br \/>\nzT7CLR8o5Dvr6\/n+HLT4WjPmfLiX2Hbo7fe4e4y2xdfkjDXPw4HoLr9ZF30FplG1<br \/>\neMhXCBWqyGYcYWh77lZlFLLQaz\/ZE5pf7DxqwGzWBUUVrBFEJ+bIQKjB\/y6WavnC<br \/>\nrxCboZoqRifcvyKM1mDUcBK9YO14j9GXwb2Xu1IK7Z92RXZzZxIyRmJNRZDMzGF9<br \/>\nuWxqBXbuSF\/eRQFrRhJn8aeVzzxPMiqe\/nRa1JsXJdMD8gyefVPloAVeRNx\/0EbO<br \/>\n4CpG2IGmQevfFx+E1ADM0X72TE0Bm1nzTSEd6D4i2DiA\/NyYo2Ape3In9lHg8qYV<br \/>\nXtcXBwBe14OJca+iAYTr3hMF\/xzrCtfGd\/lyf4ikQUMDWaNi2ixzA28MejDFJ0yl<br \/>\n8b5s087AQwk=<br \/>\n=FmJg<br \/>\n&#8212;&#8211;END PGP SIGNATURE&#8212;&#8211;<br \/>\n&#8212;<br \/>\nRHSA-announce mailing list<br \/>\nRHSA-announce@redhat.com<br \/>\nhttps:\/\/listman.redhat.com\/mailman\/listinfo\/rhsa-announce<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8212;&#8211;BEGIN PGP SIGNED MESSAGE&#8212;&#8211; Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift GitOps security update Advisory ID: RHSA-2022:5192-01 Product: Red Hat OpenShift GitOps Advisory URL: https:\/\/access.redhat.com\/errata\/RHSA-2022:5192 Issue date: 2022-06-24 CVE Names: CVE-2018-25032 CVE-2022-1271 CVE-2022-31016 CVE-2022-31034 CVE-2022-31035 CVE-2022-31036 ===================================================================== 1. Summary: An update is now available for Red Hat OpenShift GitOps 1.3. &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-26291","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/26291","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=26291"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/26291\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=26291"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=26291"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=26291"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}