SB2022080821 - Multiple vulnerabilities in argo-cd
Published: August 8, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Deserialization of Untrusted Data (CVE-ID: CVE-2022-28948)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to insecure input validation when processing serialized data in the Unmarshal function. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
2) Use-after-free (CVE-ID: CVE-2022-30065)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing a crafted awk pattern in the copyvar function. A remote attacker can execute arbitrary code on the target system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
3) Missing Encryption of Sensitive Data (CVE-ID: CVE-2022-2097)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error in AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimized implementation. Under specific circumstances OpenSSL does not encrypt the entire message and can reveal sixteen bytes of data that was preexisting in the memory that wasn't written. A remote attacker can gain access to potentially sensitive information.
4) Type Confusion (CVE-ID: CVE-2021-23820)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a type confusion error. A remote attacker can pass specially crafted data to the application, trigger a type confusion error and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.
References
- https://github.com/argoproj/argo-cd/releases/tag/v2.4.8"
- https://github.com/argoproj/argo-cd/releases/tag/v2.4.8</a></p><p><a
- https://github.com/argoproj/argo-cd/releases/tag/v2.3.7"
- https://github.com/argoproj/argo-cd/releases/tag/v2.3.7</a></p><p>
- https://github.com/argoproj/argo-cd/releases/tag/v2.2.12</p><p><br></p>
- https://github.com/argoproj/argo-cd/releases/tag/v2.2.12