Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31016 #495

Closed
GoVulnBot opened this issue Jun 25, 2022 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd: CVE-2022-31016 #495

GoVulnBot opened this issue Jun 25, 2022 · 2 comments
Assignees
@neild
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

CVE-2022-31016 references github.com/argoproj/argo-cd, which may be a Go module.

Description:
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.

Links:

See doc/triage.md for instructions on how to triage this report.

packages:
  - module: github.com/argoproj/argo-cd
    package: argo-cd
description: |
    Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service,  resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file.  The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.
cves:
  - CVE-2022-31016
links:
    context:
      - https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq
@neild neild self-assigned this Jul 11, 2022
@neild
Copy link
Contributor

neild commented Jul 11, 2022

Vulnerability in tool.

@neild neild closed this as completed Jul 11, 2022
@neild neild added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NotGoVuln labels Aug 10, 2022
This was referenced Jan 25, 2023
Closed
Closed
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Feb 8, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Feb 16, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Mar 27, 2023
Closed
This was referenced Aug 23, 2023
Closed
Closed
This was referenced Sep 8, 2023
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Sep 27, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Jan 19, 2024
Closed
This was referenced Mar 18, 2024
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Apr 15, 2024
Closed
@GoVulnBot GoVulnBot mentioned this issue Apr 26, 2024
Closed
This was referenced May 21, 2024
Closed
Closed
This was referenced Jun 7, 2024
Closed
Closed
@GoVulnBot GoVulnBot mentioned this issue Jul 24, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607219 mentions this issue: data/reports: unexclude 20 reports (17)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (17)
41b516d 
  - data/reports/GO-2022-0457.yaml
  - data/reports/GO-2022-0458.yaml
  - data/reports/GO-2022-0459.yaml
  - data/reports/GO-2022-0471.yaml
  - data/reports/GO-2022-0473.yaml
  - data/reports/GO-2022-0480.yaml
  - data/reports/GO-2022-0482.yaml
  - data/reports/GO-2022-0483.yaml
  - data/reports/GO-2022-0490.yaml
  - data/reports/GO-2022-0491.yaml
  - data/reports/GO-2022-0494.yaml
  - data/reports/GO-2022-0495.yaml
  - data/reports/GO-2022-0496.yaml
  - data/reports/GO-2022-0497.yaml
  - data/reports/GO-2022-0498.yaml
  - data/reports/GO-2022-0499.yaml
  - data/reports/GO-2022-0500.yaml
  - data/reports/GO-2022-0501.yaml
  - data/reports/GO-2022-0502.yaml
  - data/reports/GO-2022-0505.yaml

Updates #457
Updates #458
Updates #459
Updates #471
Updates #473
Updates #480
Updates #482
Updates #483
Updates #490
Updates #491
Updates #494
Updates #495
Updates #496
Updates #497
Updates #498
Updates #499
Updates #500
Updates #501
Updates #502
Updates #505

Change-Id: I92c5f4afd83bb1c6bd9f448bc65ca730c64ce770
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607219
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@neild @gopherbot @GoVulnBot