350 matches found
CVE-2022-35975 Improper object validation allows for arbitrary code execution in GitOps Tools Extension for VSCode
The GitOps Tools Extension for VSCode can make it easier to manage Flux objects. A specially crafted Flux object may allow for remote code execution in the machine running the extension, in the context of the user that is running VSCode. Users using the VSCode extension to manage clusters that ar...
PT-2022-23074 · Unknown · Gitops Tools Extension For Vscode
Name of the Vulnerable Software and Affected Versions: GitOps Tools Extension for VSCode affected versions not specified Description: A specially crafted Flux object may allow for remote code execution in the machine running the extension, in the context of the user that is running VSCode. Users...
PT-2022-23075 · Microsoft · Vscode
Name of the Vulnerable Software and Affected Versions: GitOps Tools Extension for VSCode affected versions not specified Description: The GitOps Tools Extension for VSCode is affected by an issue where a specially crafted kubeconfig can lead to arbitrary code execution on behalf of the user runni...
Microsoft VSCode Extension 操作系统命令注入漏洞
Microsoft VSCode Extension is an extension for VSCode from Microsoft Corporation USA. An operating system command injection vulnerability exists in Microsoft VSCode Extension vscode-gitops-tools versions 0.7.0 through 0.20.2, which originates from a specially crafted Flux object in the context of...
CVE-2022-31102
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting XSS bug which could allow an attacker to inject arbitrary JavaScript in the /auth/callback page in a victim's browser. This...
CVE-2022-31102
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting XSS bug which could allow an attacker to inject arbitrary JavaScript in the /auth/callback page in a victim's browser. This...
Cross site scripting
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting XSS bug which could allow an attacker to inject arbitrary JavaScript in the /auth/callback page in a victim's browser. This...
Input validation
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious or otherwise untrustworthy OpenID Connect OIDC...
CVE-2022-31102
Argo CD (GitOps for Kubernetes) is affected by a cross-site scripting (XSS) vulnerability in versions 2.3.0–2.3.6 and 2.4.0–2.4.4 that allows arbitrary JavaScript in the /auth/callback page when SSO is enabled. Exploitation requires access to the API server’s encryption key, a method to inject a ...
CVE-2022-31105 Argo CD's certificate verification is skipped for connections to OIDC providers
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with version 0.4.0 and prior to 2.2.11, 2.3.6, and 2.4.5 is vulnerable to an improper certificate validation bug which could cause Argo CD to trust a malicious or otherwise untrustworthy OpenID Connect OIDC...
CVE-2022-31105
Argo CD versions 0.4.0–2.2.11, 2.3.6–2.4.5 are affected by an improper certificate validation when connecting to OIDC providers, risking trust in a malicious provider. Patches were released in 2.2.11, 2.3.6, and 2.4.5. Upgrading to these patched releases (or newer) is the recommended fix. A parti...
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting XSS bug which could allow an attacker to inject arbitrary JavaScript in the /auth/callback page in a victim's browser. This...
A Bootiful Podcast: Kubernetes contributor and fellow Tanzu Developer Advocate Leigh Capili
Hi, Spring fans! In this installment Josh Long @starbuxman talks to fellow teammate and Kubernetes ecosystem legend Leigh Capili @capileigh about Gitops, Kubernetes, Puppet/Chef, continuous delivery, how zoom scales if you deploy on-prem, being a developer advocate, Flux, and so much more...
Weave GitOps Log Information Disclosure Vulnerability
Weave GitOps is a simple open source developer platform open source by Weaveworks. Weave GitOps has a log information disclosure vulnerability. The vulnerability stems from insufficient protection of sensitive information and can be exploited by an authenticated remote attack to view sensitive...
CVE-2022-31098
Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in the logging of Weave GitOps could allow an authenticated remote attacker to view sensitive cluster configurations, aka KubeConfg, of...
Design/Logic Flaw
Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in the logging of Weave GitOps could allow an authenticated remote attacker to view sensitive cluster configurations, aka KubeConfg, of...
CVE-2022-31098 Weave GitOps leaked cluster credentials into logs on connection errors
Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in the logging of Weave GitOps could allow an authenticated remote attacker to view sensitive cluster configurations, aka KubeConfg, of...
CVE-2022-31098
Weave GitOps vulnerable to information disclosure in logs: when connecting to a registered Kubernetes API server, the client factory dumps cluster configurations and service account tokens into pod logs on the management cluster or external log storage. An authenticated remote attacker could acce...
CVE-2022-31098 Weave GitOps leaked cluster credentials into logs on connection errors
Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in the logging of Weave GitOps could allow an authenticated remote attacker to view sensitive cluster configurations, aka KubeConfg, of...
CVE-2022-31098 Weave GitOps leaked cluster credentials into logs on connection errors
Weave GitOps is a simple open source developer platform for people who want cloud native applications, without needing Kubernetes expertise. A vulnerability in the logging of Weave GitOps could allow an authenticated remote attacker to view sensitive cluster configurations, aka KubeConfg, of...