漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Improper access control allows admin privilege escalation in Argo CD
Vulnerability Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All unpatched versions of Argo CD starting with 1.0.0 are vulnerable to an improper access control bug, allowing a malicious user to potentially escalate their privileges to admin-level. Versions starting with 0.8.0 and 0.5.0 contain limited versions of this issue. To perform exploits, an authorized Argo CD user must have push access to an Application's source git or Helm repository or `sync` and `override` access to an Application. Once a user has that access, different exploitation levels are possible depending on their other RBAC privileges. A patch for this vulnerability has been released in Argo CD versions 2.3.2, 2.2.8, and 2.1.14. Some mitigation measures are available but do not serve as a substitute for upgrading. To avoid privilege escalation, limit who has push access to Application source repositories or `sync` + `override` access to Applications; and limit which repositories are available in projects where users have `update` access to Applications. To avoid unauthorized resource inspection/tampering, limit who has `delete`, `get`, or `action` access to Applications.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
信息暴露
Vulnerability Title
GitHub argo-cd 信息泄露漏洞
Vulnerability Description
GitHub argo-cd是 (Github)开源的一个应用软件。用于Kubernetes的声明性GitOps连续交付工具。 GitHub argo-cd 存在信息泄露漏洞,该漏洞源于不正确的访问控制导致管理员权限升级。从1.0.0版本开始的所有未打补丁版本的Argo CD都容易受到不正确的访问控制错误的攻击,攻击者利用该漏洞将其权限升级到管理员级别。从0.5.0版本开始和从0.8.0开始的版本就出现此漏洞。攻击者必须具有对应用程序源git或Helm存储库的推送访问权限,或对应用程序的“sync”和“o
CVSS Information
N/A
Vulnerability Type
N/A