Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-3923

CVE-2023-49568 CSRF in github.com/argoproj/argo-cd [1.11]

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done-Errata
    • Undefined
    • 1.11.1
    • 1.11.0
    • None
    • False
    • None
    • False
    • Hide
      Before this update, all versions of Argo CD v2.9.2 and later were vulnerable to cross-server request forgery (CSRF) attacks. As a result, Argo CD would accept non-GET requests even if they did not specify their content type. This update fixes the issue by upgrading the Argo CD to v.2.9.5 and patching this vulnerability in the Argo CD API.

      IMPORTANT:
      Breaking change: The Argo CD API will no longer accept non-GET requests that do not specify application or JSON as their content type. Although the accepted content types list is configurable, do not disable the content type check completely.
      Link: https://issues.redhat.com/browse/GITOPS-3923[GITOPS-3923]
      Show
      Before this update, all versions of Argo CD v2.9.2 and later were vulnerable to cross-server request forgery (CSRF) attacks. As a result, Argo CD would accept non-GET requests even if they did not specify their content type. This update fixes the issue by upgrading the Argo CD to v.2.9.5 and patching this vulnerability in the Argo CD API. IMPORTANT: Breaking change: The Argo CD API will no longer accept non-GET requests that do not specify application or JSON as their content type. Although the accepted content types list is configurable, do not disable the content type check completely. Link: https://issues.redhat.com/browse/GITOPS-3923 [ GITOPS-3923 ]

    Description

      UPDATE: This CVE is misnumbered- it should reference CVE-2024-22424 instead, not CVE-2023-49568. The content otherwise should all be correct.

      Description of problem:

      https://github.com/argoproj/argo-cd/security/advisories/GHSA-92mw-q256-5vwg 

      We need to upgrade argocd version to < 2.9.4

      Prerequisites (if any, like setup, operators/versions):

      Steps to Reproduce

       # <steps>

       

      Actual results:

      Expected results:

      Reproducibility (Always/Intermittent/Only Once):

      Acceptance criteria: 

       

      Definition of Done:

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):

       

       *

      Attachments

        Activity

          People

            rescott1 Regina Scott
            rescott1 Regina Scott
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: