x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-6jqw-jwf5-rp8h

[GoVulnBot]

In GitHub Security Advisory GHSA-6jqw-jwf5-rp8h, there is a vulnerability in the following Go packages or modules:

Unit	Fixed	Vulnerable Ranges
github.com/argoproj/argo-cd/v2	2.3.0	< 2.3.0

Cross references:

• Module github.com/argoproj/argo-cd/v2 appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-qq5v-f4c3-395c #869 NOT_IMPORTABLE
• Module github.com/argoproj/argo-cd/v2 appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-2q5c-qw9c-fmvq #1670 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd/v2 appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-xj7v-c82w-92q2 #1952 EFFECTIVELY_PRIVATE
• Module github.com/argoproj/argo-cd/v2 appears in issue x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2023-25163 #1548

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/argoproj/argo-cd/v2
      versions:
        - fixed: 2.3.0
      vulnerable_at: 2.3.0-rc5
      packages:
        - package: github.com/argoproj/argo-cd/v2
    - module: github.com/argoproj/argo-cd/v2
      versions:
        - {}
      vulnerable_at: 2.8.4
      packages:
        - package: github.com/argoproj/argo-cd
summary: Path traversal allows leaking out-of-bound Helm charts from Argo CD repo-server
description: |-
    ### Impact In Argo CD versions prior to 2.3 (starting at least in v0.1.0, but
    likely in any version using Helm before 2.3), using a specifically-crafted Helm
    file could reference external Helm charts handled by the same repo-server to
    leak values, or files from the referenced Helm Chart. This was possible because
    Helm paths were predictable.

    The vulnerability worked by adding a Helm chart that referenced Helm resources
    from predictable paths. Because the paths of Helm charts were predictable and
    available on an instance of repo-server, it was possible to reference and then
    render the values and resources from other existing Helm charts regardless of
    permissions. While generally, secrets are not stored in these files, it was
    nevertheless possible to reference any values from these charts.

    ### Patches This issue was fixed in Argo CD 2.3 and subsequent versions by
    randomizing Helm paths.

    ### Workarounds User's still using Argo CD 2.3 or below are advised to update to
    a [supported
    version](https://argo-cd.readthedocs.io/en/stable/operator-manual/installation/#supported-versions).
    If this is not possible, disabling Helm chart rendering, or using an additional
    repo-server for each Helm chart would prevent possible exploitation.

    ### References
    https://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7

    ### For more information If you have any questions or comments about this
    advisory:
    * Open an issue in [example link to repo](http://example.com)
    * Email us at [example email address](mailto:example@example.com)
cves:
    - CVE-2023-40026
ghsas:
    - GHSA-6jqw-jwf5-rp8h
references:
    - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-63qx-x74g-jcr7
    - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-6jqw-jwf5-rp8h
    - advisory: https://github.com/advisories/GHSA-6jqw-jwf5-rp8h

[jba]

Vulnerability in tool.

[gopherbot]

Change https://go.dev/cl/531705 mentions this issue: data/excluded: batch add 18 excluded reports

[gopherbot]

Change https://go.dev/cl/592763 mentions this issue: data/reports: unexclude 75 reports

[gopherbot]

Change https://go.dev/cl/606791 mentions this issue: data/reports: unexclude 20 reports (11)