A Red Hat OpenShift GitOps security update has been released.

RHSA-2022:0580-01: Important: Red Hat OpenShift GitOps security update

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat OpenShift GitOps security update
Advisory ID: RHSA-2022:0580-01
Product: Red Hat OpenShift GitOps
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:0580
Issue date: 2022-02-17
CVE Names: CVE-2016-4658 CVE-2019-5827 CVE-2019-13750
CVE-2019-13751 CVE-2019-17594 CVE-2019-17595
CVE-2019-18218 CVE-2019-19603 CVE-2019-20838
CVE-2020-12762 CVE-2020-13435 CVE-2020-14145
CVE-2020-14155 CVE-2020-16135 CVE-2020-24370
CVE-2021-3200 CVE-2021-3426 CVE-2021-3445
CVE-2021-3521 CVE-2021-3572 CVE-2021-3580
CVE-2021-3712 CVE-2021-3800 CVE-2021-20231
CVE-2021-20232 CVE-2021-20271 CVE-2021-22876
CVE-2021-22898 CVE-2021-22925 CVE-2021-27645
CVE-2021-28153 CVE-2021-33560 CVE-2021-33574
CVE-2021-35942 CVE-2021-36084 CVE-2021-36085
CVE-2021-36086 CVE-2021-36087 CVE-2021-37750
CVE-2021-39241 CVE-2021-40346 CVE-2021-42574
CVE-2021-43527 CVE-2021-44790 CVE-2022-24348
=====================================================================

1. Summary:

An update for openshift-gitops-applicationset-container,
openshift-gitops-container, openshift-gitops-kam-delivery-container, and
openshift-gitops-operator-container is now available for Red Hat OpenShift
GitOps 1.2. (GitOps v1.2.2)

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat Openshift GitOps is a declarative way to implement continuous
deployment for cloud native applications.

Security Fix(es):

* gitops: Path traversal and dereference of symlinks when passing Helm
value files (CVE-2022-24348)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

2050826 - CVE-2022-24348 gitops: Path traversal and dereference of symlinks when passing Helm value files

5. References:

  https://access.redhat.com/security/cve/CVE-2016-4658
  https://access.redhat.com/security/cve/CVE-2019-5827
  https://access.redhat.com/security/cve/CVE-2019-13750
  https://access.redhat.com/security/cve/CVE-2019-13751
  https://access.redhat.com/security/cve/CVE-2019-17594
  https://access.redhat.com/security/cve/CVE-2019-17595
  https://access.redhat.com/security/cve/CVE-2019-18218
  https://access.redhat.com/security/cve/CVE-2019-19603
  https://access.redhat.com/security/cve/CVE-2019-20838
  https://access.redhat.com/security/cve/CVE-2020-12762
  https://access.redhat.com/security/cve/CVE-2020-13435
  https://access.redhat.com/security/cve/CVE-2020-14145
  https://access.redhat.com/security/cve/CVE-2020-14155
  https://access.redhat.com/security/cve/CVE-2020-16135
  https://access.redhat.com/security/cve/CVE-2020-24370
  https://access.redhat.com/security/cve/CVE-2021-3200
  https://access.redhat.com/security/cve/CVE-2021-3426
  https://access.redhat.com/security/cve/CVE-2021-3445
  https://access.redhat.com/security/cve/CVE-2021-3521
  https://access.redhat.com/security/cve/CVE-2021-3572
  https://access.redhat.com/security/cve/CVE-2021-3580
  https://access.redhat.com/security/cve/CVE-2021-3712
  https://access.redhat.com/security/cve/CVE-2021-3800
  https://access.redhat.com/security/cve/CVE-2021-20231
  https://access.redhat.com/security/cve/CVE-2021-20232
  https://access.redhat.com/security/cve/CVE-2021-20271
  https://access.redhat.com/security/cve/CVE-2021-22876
  https://access.redhat.com/security/cve/CVE-2021-22898
  https://access.redhat.com/security/cve/CVE-2021-22925
  https://access.redhat.com/security/cve/CVE-2021-27645
  https://access.redhat.com/security/cve/CVE-2021-28153
  https://access.redhat.com/security/cve/CVE-2021-33560
  https://access.redhat.com/security/cve/CVE-2021-33574
  https://access.redhat.com/security/cve/CVE-2021-35942
  https://access.redhat.com/security/cve/CVE-2021-36084
  https://access.redhat.com/security/cve/CVE-2021-36085
  https://access.redhat.com/security/cve/CVE-2021-36086
  https://access.redhat.com/security/cve/CVE-2021-36087
  https://access.redhat.com/security/cve/CVE-2021-37750
  https://access.redhat.com/security/cve/CVE-2021-39241
  https://access.redhat.com/security/cve/CVE-2021-40346
  https://access.redhat.com/security/cve/CVE-2021-42574
  https://access.redhat.com/security/cve/CVE-2021-43527
  https://access.redhat.com/security/cve/CVE-2021-44790
  https://access.redhat.com/security/cve/CVE-2022-24348
  https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.