Log

AVG-1973 edited at 20 May 2021 13:44:30
Severity
- Unknown
+ High
CVE-2021-3557 edited at 20 May 2021 13:44:30
Severity
- Unknown
+ High
Remote
- Unknown
+ Local
Type
- Unknown
+ Information disclosure
Description
+ Any unprivileged user is able to deploy argocd in his namespace and with the created ServiceAccount argocd-argocd-server, the unprivileged user is able to read all resources of the cluster like all secrets which might enable privilege escalations.
References
+ https://bugzilla.redhat.com/show_bug.cgi?id=1961929
Notes
AVG-1973 created at 20 May 2021 13:43:30
Packages
+ argocd
Issues
+ CVE-2021-3557
Status
+ Vulnerable
Severity
+ Unknown
Affected
+ 2.0.1-1
Fixed
Ticket
Advisory qualified
+ Yes
References
Notes
CVE-2021-3557 created at 20 May 2021 13:43:30
AVG-1907 edited at 19 May 2021 20:19:38
Status
- Vulnerable
+ Fixed
Fixed
+ 1.3.20-1
ASA-202105-9 edited at 19 May 2021 19:03:31
Workaround
- In order to prevent unauthenticated attacks in can be useful to disable guest edits until the next update. To do this set the following to configuration options:
+ In order to prevent unauthenticated attacks it can be useful to disable guest edits until the next update. To do this, set the following to configuration options:
{
# other configs
# …
"allowAnonymous": false,
"allowAnonymousEdits": false,
}
Or set the environment variables CMD_ALLOW_ANONYMOUS=false and CMD_ALLOW_ANONYMOUS_EDITS=false.
CVE-2021-32921 edited at 19 May 2021 15:17:36
References
https://prosody.im/security/advisory_20210512/#use-of-timing-dependent-string-comparison-with-sensitive-values
https://hg.prosody.im/trunk/rev/c98aebe601f9
https://hg.prosody.im/trunk/rev/13b84682518e
https://hg.prosody.im/trunk/rev/6f56170ea986
Notes
+ The issue can partly be mitigated by enabling and configuring rate limits through mod_limits in order to lengthen the amount of time required to successfully complete a timing attack.
ASA-202105-11 edited at 19 May 2021 15:14:14
Workaround
+ - CVE-2021-32917 can be mitigated by configuring 'proxy65_acl' to a list of XMPP domains that should be allowed to use the file transfer proxy.
+
+ - CVE-2021-32918 can be partly mitigated using stricter settings for stanza size limits, rate limits and garbage collection parameters, see the referenced upstream advisory for more details.
+
+ - CVE-2021-32919 can be mitigated by removing or disabling the ‘dialback_without_dialback’ option.
+
+ - CVE-2021-32920 can be mitigated by setting the following ssl option (or add to your existing one if you have one):
+
+ ssl = {
+ options = {
+ no_renegotiation = true;
+ }
+ }
+
+ - CVE-2021-32921 can partly be mitigated by enabling and configuring rate limits through mod_limits in order to lengthen the amount of time required to successfully complete a timing attack.
ASA-202105-9 edited at 19 May 2021 15:10:02
Workaround
+ In order to prevent unauthenticated attacks in can be useful to disable guest edits until the next update. To do this set the following to configuration options:
+
+ {
+ # other configs
+ # …
+ "allowAnonymous": false,
+ "allowAnonymousEdits": false,
+
+ }
+
+ Or set the environment variables CMD_ALLOW_ANONYMOUS=false and CMD_ALLOW_ANONYMOUS_EDITS=false.
ASA-202105-10 edited at 19 May 2021 15:08:28
Workaround
+ - CVE-2021-28651 can be mitigated by disabling URN processing by the proxy, by adding these lines to squid.conf:
+
+ acl URN proto URN
+ http_access deny URN
+
+ - CVE-2021-28652 can be mitigated by either disabling Cache Manager access entirely if not needed, by placing the following line in squid.conf before lines containing "allow":
+
+ http_access deny manager
+
+ or by hardening Cache Manager access privileges, for example: require authentication or other access controls in http_access beyond the default IP address restriction.
+
+ - No known mitigations exist for CVE-2021-28662.
AVG-1972 edited at 19 May 2021 14:38:03
Status
- Vulnerable
+ Fixed
Fixed
+ 1.0.0rc95-1
AVG-1880 edited at 19 May 2021 12:40:27
Affected
- 5.12.4.zen2-1
+ 5.12.5.zen1-1