search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
18.03k stars 5.5k forks source link

Orca Security scan finds vulnerability CVE-2023-47108 #17423

Closed kalpanathanneeru21 closed 3 months ago

kalpanathanneeru21 commented 8 months ago

Checklist:

Describe the bug

                                  {
[2024-03-06T07:19:32.655Z]           "vulnerability_id": "CVE-2023-47108",
[2024-03-06T07:19:32.655Z]           "severity": "HIGH",
[2024-03-06T07:19:32.656Z]           "pkg_name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc",
[2024-03-06T07:19:32.656Z]           "pkg_path": "",
[2024-03-06T07:19:32.656Z]           "installed_version": "v0.42.0",
[2024-03-06T07:19:32.656Z]           "fixed_version": "0.46.0",
[2024-03-06T07:19:32.656Z]           "cvss_v2_score": "",
[2024-03-06T07:19:32.656Z]           "cvss_v3_score": "7.5",
[2024-03-06T07:19:32.656Z]           "status_summary": {
[2024-03-06T07:19:32.656Z]             "priority": "HIGH",
[2024-03-06T07:19:32.656Z]             "status": "FAILED"
[2024-03-06T07:19:32.656Z]           }
[2024-03-06T07:19:32.656Z]         },
                                   {
[2024-03-06T11:08:09.378Z]           "vulnerability_id": "CVE-2023-48795",
[2024-03-06T11:08:09.378Z]           "severity": "MEDIUM",
[2024-03-06T11:08:09.378Z]           "pkg_name": "golang.org/x/crypto",
[2024-03-06T11:08:09.378Z]           "pkg_path": "",
[2024-03-06T11:08:09.378Z]           "installed_version": "v0.16.0",
[2024-03-06T11:08:09.378Z]           "fixed_version": "0.17.0",
[2024-03-06T11:08:09.378Z]           "cvss_v2_score": "",
[2024-03-06T11:08:09.378Z]           "cvss_v3_score": "5.9",
[2024-03-06T11:08:09.378Z]           "status_summary": {
[2024-03-06T11:08:09.378Z]             "priority": "MEDIUM",
[2024-03-06T11:08:09.378Z]             "status": "FAILED"
[2024-03-06T11:08:09.378Z]           }
[2024-03-06T11:08:09.378Z]         }

To Reproduce scan v2.10.2 image of argocd using orca or any scanning tool.

Expected behavior

In our env we are using orca tool to scan vulnerabilities. scanning v2.10.2 of argocd failing with few vulnerabilities

Screenshots

Version v2.10.2 pulling from quay.io/argoproj/argocd:v2.10.2 

v2.10.2

Logs

Paste any relevant application logs here.
kalpanathanneeru21 commented 8 months ago

Is there any update on mentioned CVE's

Just seen latest release also not having updated libraries which are 

"vulnerability_id": "CVE-2023-47108",
"severity": "HIGH",
"pkg_name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc",
"installed_version": "v0.42.0",
 "fixed_version": "0.46.0",

"vulnerability_id": "CVE-2023-48795",
"severity": "MEDIUM",
"pkg_name": "golang.org/x/crypto",
"installed_version": "v0.16.0",
"fixed_version": "0.17.0",

"vulnerability_id": "CVE-2024-28180",
"severity": "MEDIUM",
"pkg_name": "github.com/go-jose/go-jose/v3",
"installed_version": "v3.0.1",
fixed_version": "3.0.3",

Please do the needful

confusedcrib commented 7 months ago

Please see the security policy, this issue is likely not going to get addressed unless you provide some evidence that these vulnerabilities are actually exploitable in the context of ArgoCD and need to be taken seriously. https://github.com/argoproj/argo-cd/blob/master/SECURITY.md

blakepettersson commented 3 months ago

otelgrpc has been bumped to 0.46.1 in any case.