SB2024042567 - Multiple vulnerabilities in Red Hat OpenShift GitOps v1.12.1 for Argo CD CLI and MicroShift GitOps
Published: April 25, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Resource management error (CVE-ID: CVE-2024-21661)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
2) Improper access control (CVE-ID: CVE-2023-50726)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper validation bug. A remote user with "create" but not "override" privileges can perform local sync.
3) Security features bypass (CVE-ID: CVE-2024-21652)
The vulnerability allows a remote attacker to bypass brute-force protection.
The vulnerability exists due to an error when handling different application states. A remote attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection.
4) Resource exhaustion (CVE-ID: CVE-2024-29893)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can crash the repo server component through an out of memory error by pointing it to a malicious Helm registry.
5) Security features bypass (CVE-ID: CVE-2024-21662)
The vulnerability allows a remote attacker to perform brute-force attack.
The vulnerability exists due to usage of a weak cache-based mechanism. A remote attacker can bypass the rate limit and brute force protections.
Remediation
Install update from vendor's website.