Log

AVG-1927 edited at 20 May 2021 14:17:03
Advisory qualified
- Yes
+ No
AVG-1873 edited at 20 May 2021 14:16:54
Advisory qualified
- Yes
+ No
AVG-1801 edited at 20 May 2021 14:16:48
Advisory qualified
- Yes
+ No
AVG-1973 edited at 20 May 2021 13:44:55
Status
- Vulnerable
+ Not affected
Advisory qualified
- Yes
+ No
Notes
+ This appears to be specific to Red Hat OpenShift GitOps.
AVG-1973 edited at 20 May 2021 13:44:30
Severity
- Unknown
+ High
CVE-2021-3557 edited at 20 May 2021 13:44:30
Severity
- Unknown
+ High
Remote
- Unknown
+ Local
Type
- Unknown
+ Information disclosure
Description
+ Any unprivileged user is able to deploy argocd in his namespace and with the created ServiceAccount argocd-argocd-server, the unprivileged user is able to read all resources of the cluster like all secrets which might enable privilege escalations.
References
+ https://bugzilla.redhat.com/show_bug.cgi?id=1961929
Notes
AVG-1973 created at 20 May 2021 13:43:30
Packages
+ argocd
Issues
+ CVE-2021-3557
Status
+ Vulnerable
Severity
+ Unknown
Affected
+ 2.0.1-1
Fixed
Ticket
Advisory qualified
+ Yes
References
Notes
CVE-2021-3557 created at 20 May 2021 13:43:30
AVG-1907 edited at 19 May 2021 20:19:38
Status
- Vulnerable
+ Fixed
Fixed
+ 1.3.20-1
ASA-202105-9 edited at 19 May 2021 19:03:31
Workaround
- In order to prevent unauthenticated attacks in can be useful to disable guest edits until the next update. To do this set the following to configuration options:
+ In order to prevent unauthenticated attacks it can be useful to disable guest edits until the next update. To do this, set the following to configuration options:
{
# other configs
# …
"allowAnonymous": false,
"allowAnonymousEdits": false,
}
Or set the environment variables CMD_ALLOW_ANONYMOUS=false and CMD_ALLOW_ANONYMOUS_EDITS=false.
CVE-2021-32921 edited at 19 May 2021 15:17:36
References
https://prosody.im/security/advisory_20210512/#use-of-timing-dependent-string-comparison-with-sensitive-values
https://hg.prosody.im/trunk/rev/c98aebe601f9
https://hg.prosody.im/trunk/rev/13b84682518e
https://hg.prosody.im/trunk/rev/6f56170ea986
Notes
+ The issue can partly be mitigated by enabling and configuring rate limits through mod_limits in order to lengthen the amount of time required to successfully complete a timing attack.
ASA-202105-11 edited at 19 May 2021 15:14:14
Workaround
+ - CVE-2021-32917 can be mitigated by configuring 'proxy65_acl' to a list of XMPP domains that should be allowed to use the file transfer proxy.
+
+ - CVE-2021-32918 can be partly mitigated using stricter settings for stanza size limits, rate limits and garbage collection parameters, see the referenced upstream advisory for more details.
+
+ - CVE-2021-32919 can be mitigated by removing or disabling the ‘dialback_without_dialback’ option.
+
+ - CVE-2021-32920 can be mitigated by setting the following ssl option (or add to your existing one if you have one):
+
+ ssl = {
+ options = {
+ no_renegotiation = true;
+ }
+ }
+
+ - CVE-2021-32921 can partly be mitigated by enabling and configuring rate limits through mod_limits in order to lengthen the amount of time required to successfully complete a timing attack.