Important Path Traversal Vulnerability in Red Hat OpenShift GitOps 1.2
Feb 17, 2022
•
LinuxSecurity Advisories
3 - 5 min read
An update for openshift-gitops-applicationset-container, openshift-gitops-container, openshift-gitops-kam-delivery-container, and openshift-gitops-operator-container is now available for Red Hat OpenShift GitOps 1.2. (GitOps v1.2.2)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
==================================================================== Red Hat Security Advisory
Synopsis: Important: Red Hat OpenShift GitOps security update
Advisory ID: RHSA-2022:0580-01
Product: Red Hat OpenShift GitOps
Advisory URL: https://access.redhat.com/errata/RHSA-2022:0580
Issue date: 2022-02-17
CVE Names: CVE-2016-4658 CVE-2019-5827 CVE-2019-13750
CVE-2019-13751 CVE-2019-17594 CVE-2019-17595
CVE-2019-18218 CVE-2019-19603 CVE-2019-20838
CVE-2020-12762 CVE-2020-13435 CVE-2020-14145
CVE-2020-14155 CVE-2020-16135 CVE-2020-24370
CVE-2021-3200 CVE-2021-3426 CVE-2021-3445
CVE-2021-3521 CVE-2021-3572 CVE-2021-3580
CVE-2021-3712 CVE-2021-3800 CVE-2021-20231
CVE-2021-20232 CVE-2021-20271 CVE-2021-22876
CVE-2021-22898 CVE-2021-22925 CVE-2021-27645
CVE-2021-28153 CVE-2021-33560 CVE-2021-33574
CVE-2021-35942 CVE-2021-36084 CVE-2021-36085
CVE-2021-36086 CVE-2021-36087 CVE-2021-37750
CVE-2021-39241 CVE-2021-40346 CVE-2021-42574
CVE-2021-43527 CVE-2021-44790 CVE-2022-24348
====================================================================
1. Summary:
An update for openshift-gitops-applicationset-container,
openshift-gitops-container, openshift-gitops-kam-delivery-container, and
openshift-gitops-operator-container is now available for Red Hat OpenShift
GitOps 1.2. (GitOps v1.2.2)
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat Openshift GitOps is a declarative way to implement continuous
deployment for cloud native applications.
Security Fix(es):
* gitops: Path traversal and dereference of symlinks when passing Helm
value files (CVE-2022-24348)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
2050826 - CVE-2022-24348 gitops: Path traversal and dereference of symlinks when passing Helm value files
5. References:
https://access.redhat.com/security/cve/CVE-2016-4658
https://access.redhat.com/security/cve/CVE-2019-5827
https://access.redhat.com/security/cve/CVE-2019-13750
https://access.redhat.com/security/cve/CVE-2019-13751
https://access.redhat.com/security/cve/CVE-2019-17594
https://access.redhat.com/security/cve/CVE-2019-17595
https://access.redhat.com/security/cve/CVE-2019-18218
https://access.redhat.com/security/cve/CVE-2019-19603
https://access.redhat.com/security/cve/CVE-2019-20838
https://access.redhat.com/security/cve/CVE-2020-12762
https://access.redhat.com/security/cve/CVE-2020-13435
https://access.redhat.com/security/cve/CVE-2020-14145
https://access.redhat.com/security/cve/CVE-2020-14155
https://access.redhat.com/security/cve/CVE-2020-16135
https://access.redhat.com/security/cve/CVE-2020-24370
https://access.redhat.com/security/cve/CVE-2021-3200
https://access.redhat.com/security/cve/CVE-2021-3426
https://access.redhat.com/security/cve/CVE-2021-3445
https://access.redhat.com/security/cve/CVE-2021-3521
https://access.redhat.com/security/cve/CVE-2021-3572
https://access.redhat.com/security/cve/CVE-2021-3580
https://access.redhat.com/security/cve/CVE-2021-3712
https://access.redhat.com/security/cve/CVE-2021-3800
https://access.redhat.com/security/cve/CVE-2021-20231
https://access.redhat.com/security/cve/CVE-2021-20232
https://access.redhat.com/security/cve/CVE-2021-20271
https://access.redhat.com/security/cve/CVE-2021-22876
https://access.redhat.com/security/cve/CVE-2021-22898
https://access.redhat.com/security/cve/CVE-2021-22925
https://access.redhat.com/security/cve/CVE-2021-27645
https://access.redhat.com/security/cve/CVE-2021-28153
https://access.redhat.com/security/cve/CVE-2021-33560
https://access.redhat.com/security/cve/CVE-2021-33574
https://access.redhat.com/security/cve/CVE-2021-35942
https://access.redhat.com/security/cve/CVE-2021-36084
https://access.redhat.com/security/cve/CVE-2021-36085
https://access.redhat.com/security/cve/CVE-2021-36086
https://access.redhat.com/security/cve/CVE-2021-36087
https://access.redhat.com/security/cve/CVE-2021-37750
https://access.redhat.com/security/cve/CVE-2021-39241
https://access.redhat.com/security/cve/CVE-2021-40346
https://access.redhat.com/security/cve/CVE-2021-42574
https://access.redhat.com/security/cve/CVE-2021-43527
https://access.redhat.com/security/cve/CVE-2021-44790
https://access.redhat.com/security/cve/CVE-2022-24348
https://access.redhat.com/security/updates/classification#important
6. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact
Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYg8cxtzjgjWX9erEAQh+MA//Z2h99jxMHmmgFJr/RGbgIv2O6LNJjAi5
nSRxu6EBAbyDYkagGTZ1HZ+99f4qPiqRCf7HHNfEAJVpGWBgaDPoK6zimmn/mJAV
yuYbmsrlxRASB9p1i0dxjMxv0MEQpwGayIghoZpMf74RiO8rjOIURppJLAeBGp4f
3Pb9JPZ1Ww3tj1CYpJiRCuLi5LsFFyqwrKJM3SnqZ1Sj45hR4zOgtUsS7ZQaxnug
W0UcSByxSq7J3S/p9+reSKc7WySKE+k+CxYU9gMCMMyFFg5BKMnPFrimC16tIQXp
26icWiC3fJe2Z/lC86CPBRQkFx3/BimqvBt5dSrXyewcVVg2aznw+KinBc4F3bXi
XZLDy8u4d/01oT0QHpnUV7+PebIToVByaPUl04ewOFFDS+dMIK2tzXs2dnnq+t8S
DkW9Xcvw/iWOPYXKvV8vOwMHV3W3bCbwrFnfxsLmwvxiqYZtjfkJH7nItyxQZ1S9
tXoNrck75h1ZuiI3Cvu/hIMoCOqqr3dYQmUPGV0RHBzi0EzYWpXqNpx3Xwi/tVcf
VhyD/yNSBM8sAEHTtufJEennedAV4LhAyGk4ZWVuCJER0K7DnaL8xIzr3IjM2AEf
Evc4zHUEzEtIwSOFh9EPgrPiflqUmrquDJdGL2EbYiv3ZHFghQJas4ymHfE0xYVT
zkgyLyA+uwM=rtez
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.
PREVIOUS
NEXT
Important Path Traversal Vulnerability in Red Hat OpenShift GitOps 1.2
red hat
February 17, 2022
An update for openshift-gitops-applicationset-container, openshift-gitops-container, openshift-gitops-kam-delivery-container, and openshift-gitops-operator-container is now availab...
Solution
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
Summary
Red Hat Openshift GitOps is a declarative way to implement continuous
deployment for cloud native applications.
Security Fix(es):
* gitops: Path traversal and dereference of symlinks when passing Helm
value files (CVE-2022-24348)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
References
https://access.redhat.com/security/cve/CVE-2016-4658 https://access.redhat.com/security/cve/CVE-2019-5827 https://access.redhat.com/security/cve/CVE-2019-13750 https://access.redhat.com/security/cve/CVE-2019-13751 https://access.redhat.com/security/cve/CVE-2019-17594 https://access.redhat.com/security/cve/CVE-2019-17595 https://access.redhat.com/security/cve/CVE-2019-18218 https://access.redhat.com/security/cve/CVE-2019-19603 https://access.redhat.com/security/cve/CVE-2019-20838 https://access.redhat.com/security/cve/CVE-2020-12762 https://access.redhat.com/security/cve/CVE-2020-13435 https://access.redhat.com/security/cve/CVE-2020-14145 https://access.redhat.com/security/cve/CVE-2020-14155 https://access.redhat.com/security/cve/CVE-2020-16135 https://access.redhat.com/security/cve/CVE-2020-24370 https://access.redhat.com/security/cve/CVE-2021-3200 https://access.redhat.com/security/cve/CVE-2021-3426 https://access.redhat.com/security/cve/CVE-2021-3445 https://access.redhat.com/security/cve/CVE-2021-3521 https://access.redhat.com/security/cve/CVE-2021-3572 https://access.redhat.com/security/cve/CVE-2021-3580 https://access.redhat.com/security/cve/CVE-2021-3712 https://access.redhat.com/security/cve/CVE-2021-3800 Read the Full Advisory
Package List
Severity
important
Lowest
Low
Medium
High
Critical
Advisory ID: RHSA-2022:0580-01
Product: Red Hat OpenShift GitOps
Advisory URL: https://access.redhat.com/errata/RHSA-2022:0580
Issue date: 2022-02-17
Topic
An update for openshift-gitops-applicationset-container,openshift-gitops-container, openshift-gitops-kam-delivery-container, andopenshift-gitops-operator-container is now available for Red Hat OpenShiftGitOps 1.2. (GitOps v1.2.2)Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.
Relevant Releases Architectures
Bugs Fixed
2050826 - CVE-2022-24348 gitops: Path traversal and dereference of symlinks when passing Helm value files
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!