Skip to content

Commit

Permalink
data/reports: add GO-2024-2643.yaml
Browse files Browse the repository at this point in the history 
Aliases: CVE-2023-50726, GHSA-g623-jcgg-mhmm

Fixes #2643

Change-Id: I7147fee5fc75e71eb4d34397f38e74c7d04a88db
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/573535
Run-TryBot: Tim King <taking@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
  • Loading branch information
@timothy-king
timothy-king committed Mar 22, 2024
1 parent ccfc322 commit c4ed78b
Show file tree
Hide file tree
Showing 2 changed files with 139 additions and 0 deletions.
99 changes: 99 additions & 0 deletions data/osv/GO-2024-2643.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,99 @@
{
"schema_version": "1.3.1",
"id": "GO-2024-2643",
"modified": "0001-01-01T00:00:00Z",
"published": "0001-01-01T00:00:00Z",
"aliases": [
"CVE-2023-50726",
"GHSA-g623-jcgg-mhmm"
],
"summary": "Bypass manifest during application creation in github.com/argoproj/argo-cd/v2",
"details": "An improper validation bug allows users who have create privileges to sync a local manifest during application creation. This allows for bypassing the restriction that the manifests come from some approved git/Helm/OCI source.",
"affected": [
{
"package": {
"name": "github.com/argoproj/argo-cd",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "1.2.0-rc1"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/argoproj/argo-cd/server/application",
"symbols": [
"Server.Create"
]
}
]
}
},
{
"package": {
"name": "github.com/argoproj/argo-cd/v2",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.8.12"
},
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.8"
},
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.3"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "github.com/argoproj/argo-cd/v2/server/application",
"symbols": [
"Server.Create"
]
}
]
}
}
],
"references": [
{
"type": "FIX",
"url": "https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978"
},
{
"type": "WEB",
"url": "https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac"
}
],
"credits": [
{
"name": "@crenshaw-dev"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2024-2643"
}
}
40 changes: 40 additions & 0 deletions data/reports/GO-2024-2643.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
id: GO-2024-2643
modules:
- module: github.com/argoproj/argo-cd
versions:
- introduced: 1.2.0-rc1
vulnerable_at: 1.8.6
packages:
- package: github.com/argoproj/argo-cd/server/application
symbols:
- Server.Create
skip_fix: Cannot handle replace directives within the go.mod file.
- module: github.com/argoproj/argo-cd/v2
versions:
- introduced: 2.0.0
fixed: 2.8.12
- introduced: 2.9.0
fixed: 2.9.8
- introduced: 2.10.0
fixed: 2.10.3
vulnerable_at: 2.10.2
packages:
- package: github.com/argoproj/argo-cd/v2/server/application
symbols:
- Server.Create
summary: Bypass manifest during application creation in github.com/argoproj/argo-cd/v2
description: |-
An improper validation bug allows users who have create privileges
to sync a local manifest during application creation. This allows for bypassing
the restriction that the manifests come from some approved git/Helm/OCI source.
cves:
- CVE-2023-50726
ghsas:
- GHSA-g623-jcgg-mhmm
credits:
- '@crenshaw-dev'
references:
- fix: https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978
- web: https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac
notes:
- create: found alias BIT-argo-cd-2023-50726 that is not a GHSA or CVE

0 comments on commit c4ed78b

Please sign in to comment.