漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Cluster secret might leak in cluster details page in Argo CD
Vulnerability Description
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configuration` annotation. pull request #7139 introduced the ability to manage cluster labels and annotations. Since clusters are stored as secrets it also exposes the `kubectl.kubernetes.io/last-applied-configuration` annotation which includes full secret body. In order to view the cluster annotations via the Argo CD API, the user must have `clusters, get` RBAC access. **Note:** In many cases, cluster secrets do not contain any actually-secret information. But sometimes, as in bearer-token auth, the contents might be very sensitive. The bug has been patched in versions 2.8.3, 2.7.14, and 2.6.15. Users are advised to upgrade. Users unable to upgrade should update/deploy cluster secret with `server-side-apply` flag which does not use or rely on `kubectl.kubernetes.io/last-applied-configuration` annotation. Note: annotation for existing secrets will require manual removal.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Vulnerability Type
信息暴露
Vulnerability Title
ArgoCD 日志信息泄露漏洞
Vulnerability Description
ArgoCD是一个应用软件。用于Kubernetes的声明性GitOps连续交付工具。它持续监控正在运行的应用程序并将当前的实时状态与所需的目标状态(例如 Git 仓库中的配置)进行比较,在 Git 仓库更改时自动同步和部署应用程序。 ArgoCD 存在日志信息泄露漏洞。攻击者利用该漏洞可以获取敏感信息。
CVSS Information
N/A
Vulnerability Type
N/A