search

argoproj / argo-cd

Declarative Continuous Deployment for Kubernetes
https://argo-cd.readthedocs.io
Apache License 2.0
18.03k stars 5.5k forks source link

Request for Fixing Identified Vulnerabilities in ArgoCD 2.11.8 #20008

Open BaruchBilanski opened 2 months ago

BaruchBilanski commented 2 months ago

Summary

Multiple vulnerabilities have been identified in the ArgoCD image (quay.io/argoproj/argocd:v2.11.8), including one HIGH severity issue and five MEDIUM severity issues. These vulnerabilities span various libraries and could potentially lead to elevation of privilege, denial of service, and information disclosure.

Details

The following vulnerabilities were detected:

HIGH severity:

Library: github.com/cloudflare/circl (v1.3.3) Vulnerability: GHSA-9763-4f94-gfch (Timing side-channel in CIRCL's Kyber implementation) Fixed in version: 1.3.7

MEDIUM severity (selected):

Library: github.com/Azure/azure-sdk-for-go/sdk/azidentity (v1.1.0) Vulnerability: CVE-2024-35255 (Elevation of Privilege) Fixed in version: 1.6.0 Library: github.com/hashicorp/go-retryablehttp (v0.7.4) Vulnerability: CVE-2024-6104 (Potential sensitive information leak to log files) Fixed in version: 0.7.7 Library: k8s.io/kubernetes (v1.26.11) Vulnerability: CVE-2024-5321 (Incorrect permissions on Windows containers logs) Fixed in versions: 1.27.16, 1.28.12, 1.29.7, 1.30.3

PoC

To reproduce and verify these vulnerabilities:

Pull the ArgoCD image: docker pull quay.io/argoproj/argocd:v2.11.8 Run a vulnerability scanner (e.g., Trivy) against the image Observe the reported vulnerabilities matching those listed in the Details section

Impact

Elevation of Privilege: The Azure SDK vulnerability could potentially allow unauthorized access to resources. Information Disclosure: The go-retryablehttp vulnerability might lead to sensitive information being logged. Denial of Service: The golang.org/x/net vulnerability could potentially be exploited to cause a DoS condition. Security Bypass: The Kubernetes vulnerability could allow unauthorized access to container logs on Windows hosts.

These vulnerabilities affect various components of the ArgoCD system and could compromise the security and integrity of deployments managed by ArgoCD. It is recommended to update to a patched version of ArgoCD that includes fixes for these vulnerabilities.

Screenshot

image

andrii-korotkov-verkada commented 2 weeks ago

The first one is patched on master https://github.com/argoproj/argo-cd/blob/5d0a3e6e9abd7e922e72e27c992ed0cdc0824f99/go.mod#L186 and on v2.13.0 https://github.com/argoproj/argo-cd/blob/v2.13.0/go.mod#L187

The second is patched on master https://github.com/argoproj/argo-cd/blob/5d0a3e6e9abd7e922e72e27c992ed0cdc0824f99/go.mod#L118, but NOT on v2.13 https://github.com/argoproj/argo-cd/blob/v2.13.0/go.mod#L118

The third one https://github.com/argoproj/argo-cd/blob/5d0a3e6e9abd7e922e72e27c992ed0cdc0824f99/go.mod#L56 and in v2.13 https://github.com/argoproj/argo-cd/blob/v2.13.0/go.mod#L56.

The forth one might be, using Kubernetes 1.31.0 https://github.com/argoproj/argo-cd/blob/5d0a3e6e9abd7e922e72e27c992ed0cdc0824f99/go.mod#L290, and on v2.13.0 as well https://github.com/argoproj/argo-cd/blob/v2.13.0/go.mod#L291.

Feel free to upgrade to v2.13.0, which would leave only one medium vulnerability out of those.