generated from wayfair-incubator/oss-template
-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update module github.com/argoproj/argo-cd/v2 to v2.11.7 [SECURITY] #198
Open
renovate
wants to merge
1
commit into
main
Choose a base branch
from
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Update module github.com/argoproj/argo-cd/v2 to v2.11.7 [SECURITY] #198
renovate
wants to merge
1
commit into
main
from
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
+6
−2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ℹ Artifact update noticeFile name: go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.6 [security]
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
Aug 7, 2024
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
August 7, 2024 17:37
a34a5c3
to
bef91e2
Compare
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
Oct 24, 2024
renovate
bot
deleted the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
October 24, 2024 07:24
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
Oct 24, 2024
renovate
bot
restored the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
October 24, 2024 09:56
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
October 24, 2024 09:57
bef91e2
to
1c6553f
Compare
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
Oct 30, 2024
renovate
bot
deleted the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
October 30, 2024 15:29
renovate
bot
restored the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
October 30, 2024 20:03
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
Oct 30, 2024
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
October 30, 2024 20:04
1c6553f
to
bd4cebb
Compare
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
Nov 11, 2024
renovate
bot
deleted the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
November 11, 2024 00:57
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
Nov 11, 2024
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
November 11, 2024 04:05
29e6e77
to
bd4cebb
Compare
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
Nov 15, 2024
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
Nov 15, 2024
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
Nov 21, 2024
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
Nov 21, 2024
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
Nov 25, 2024
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
Nov 25, 2024
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
Nov 29, 2024
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
Nov 29, 2024
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
Nov 29, 2024
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
Nov 30, 2024
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
Dec 12, 2024
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
Dec 12, 2024
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
Dec 22, 2024
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security] - autoclosed
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
Dec 22, 2024
renovate
bot
changed the title
fix(deps): update module github.com/argoproj/argo-cd/v2 to v2.11.7 [security]
Update module github.com/argoproj/argo-cd/v2 to v2.11.7 [SECURITY]
Dec 22, 2024
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
2 times, most recently
from
December 23, 2024 10:49
6b3cda0
to
8bdb54d
Compare
renovate
bot
force-pushed
the
renovate/go-github.com-argoproj-argo-cd-v2-vulnerability
branch
from
December 23, 2024 10:52
8bdb54d
to
42abc38
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.11.4
->v2.11.7
GitHub Vulnerability Alerts
CVE-2024-40634
Summary
This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments.
Details
The webhook server always listens to requests. By default, the endpoint doesn't require authentication. It's possible to send a large, malicious request with headers (in this case "X-GitHub-Event: push") that will make ArgoCD start allocating memory to parse the incoming request. Since the request can be constructed client-side without allocating large amounts of memory, it can be arbitrarily large. Eventually, the argocd-server component will get OOMKilled as it consumes all its available memory.
The fix would be to enforce a limit on the size of the request being parsed.
PoC
Port-forward to the argocd-server service, like so:
kubectl port-forward svc/argocd-server -n argocd 8080:443
Run the below code:
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
v2.11.6
v2.10.15
v2.9.20
For more information
If you have any questions or comments about this advisory:
Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd
Credits
This vulnerability was found & reported by Jakub Ciolek
The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
CVE-2024-41666
Argo CD v2.11.3 and before, discovering that even if the user's
p, role:myrole, exec, create, */*, allow
permissions are revoked, the user can still send any Websocket message, which allows the user to view sensitive information. Even though they shouldn't have such access.Description
Argo CD has a Web-based terminal that allows you to get a shell inside a running pod, just like you would with kubectl exec. However, when the administrator enables this function and grants permission to the user
p, role:myrole, exec, create, */*, allow
, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. CVE-2023-40025 Although the token expiration and revocation of the user are fixed, however, the fix does not address the situation of revocation of only userp, role:myrole, exec, create, */*, allow
permissions, which may still lead to the leakage of sensitive information.Patches
A patch for this vulnerability has been released in the following Argo CD versions:
v2.11.7
v2.10.16
v2.9.21
For more information
If you have any questions or comments about this advisory:
Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd
Credits
This vulnerability was found & reported by
Shengjie Li, Huazhong University of Science and Technology
Zhi Li, Huazhong University of Science and Technology
Weijie Liu, Nankai University
The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
Release Notes
argoproj/argo-cd (github.com/argoproj/argo-cd/v2)
v2.11.7
Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Other work
05edb2a
: feat: verify rbac on each message and not just during handshake (@pasha-codefresh)Full Changelog: argoproj/argo-cd@v2.11.6...v2.11.7
v2.11.6
Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
b980386
: fix: cherry-pick #18761 (v2.11) (#19108) (@blakepettersson)Other work
540e3a5
: Merge commit from fork (@pasha-codefresh)Full Changelog: argoproj/argo-cd@v2.11.5...v2.11.6
v2.11.5
Compare Source
Quick Start
Non-HA:
HA:
Release Signatures and Provenance
All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.
Upgrading
If upgrading from a different minor version, be sure to read the upgrading documentation.
Changelog
Bug fixes
c0f780c
: fix(cli): Get Redis password from secret inloadClusters()
(#18951) (#18956) (@gcp-cherry-pick-bot[bot])Other work
d1c052d
: chore: update gitops-engine (2.11) (#19036) (@agaudreault)Full Changelog: argoproj/argo-cd@v2.11.4...v2.11.5
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.