Vulnerability identifier: #VU53661
Vulnerability risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-285
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Red Hat OpenShift GitOps
Web applications /
Other software
Vendor: Red Hat Inc.
Description
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists in the argo-cd implementation. Any unprivileged user is able to deploy argocd in their namespace and with the created ServiceAccount argocd-argocd-server, the unprivileged user is able to read all resources of the cluster including all secrets which might enable privilege escalations.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Red Hat OpenShift GitOps: 1.1
External links
http://access.redhat.com/errata/RHSA-2021:2053
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.