- Issued:
- 2025-05-28
- Updated:
- 2025-05-28
RHSA-2025:8274 - Security Advisory
Synopsis
Important: Errata Advisory for Red Hat OpenShift GitOps v1.14.4 security update
Type/Severity
Security Advisory: Important
Topic
Errata Advisory for Red Hat OpenShift GitOps v1.14.4 security update.
Description
Errata Advisory for Red Hat OpenShift GitOps v1.14.4 security release.
Security Fix(es):
- openshift-gitops-argocd-container: Improper URL Sanitization in Argo CD Repository Page Allows Cross-Site Scripting (XSS) [gitops-1.14](CVE-2025-47933 )
- openshift-gitops-1/gitops-operator-bundle: Improper URL Sanitization in Argo CD Repository Page Allows Cross-Site Scripting (XSS) [gitops-1.14](CVE-2025-47933)
- openshift-gitops-1/argocd-rhel9: Improper URL Sanitization in Argo CD Repository Page Allows Cross-Site Scripting (XSS) [gitops-1.14](CVE-2025-47933)
- openshift-gitops-operator-container: Namespace Isolation Break [gitops-1.14](CVE-2024-13484)
- openshift-gitops-dex-container: Unexpected memory consumption during token parsing in golang.org/x/oauth2 [gitops-1.14](CVE-2025-22868)
- openshift-gitops-container: Potential denial of service in golang.org/x/crypto [gitops-1.14](CVE-2025-22869)
- openshift-gitops-argo-rollouts-container: net/http, x/net/http2: unlimited number of CONTINUATION frames causes DoS [gitops-1.14](CVE-2023-45288)
- openshift-gitops-argocd-container: jwt-go allows excessive memory allocation during header parsing [gitops-1.14](CVE-2025-30204)
- openshift-gitops-argocd-rhel9-container: jwt-go allows excessive memory allocation during header parsing [gitops-1.14](CVE-2025-30204)
- openshift-gitops-argocd-container: Prototype Pollution in redoc [gitops-1.14](CVE-2024-57083)
- openshift-gitops-argocd-rhel9-container: Prototype Pollution in redoc [gitops-1.14](CVE-2024-57083)
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
Affected Products
- Red Hat OpenShift GitOps 1.14 for RHEL 9 x86_64
- Red Hat OpenShift GitOps 1.14 for RHEL 8 x86_64
- Red Hat OpenShift GitOps for IBM Power, little endian 1.14 for RHEL 8 ppc64le
- Red Hat OpenShift GitOps for IBM Z and LinuxONE 1.14 for RHEL 8 s390x
- Red Hat OpenShift GitOps for ARM 64 1.14 for RHEL 9 aarch64
- Red Hat OpenShift GitOps for ARM 64 1.14 for RHEL 8 aarch64
Fixes
- GITOPS-6254 - CVE-2024-13484 openshift-gitops-operator-container: Namespace Isolation Break [gitops-1.14]
CVEs
- CVE-2023-39321
- CVE-2023-39322
- CVE-2023-45288
- CVE-2024-8176
- CVE-2024-9355
- CVE-2024-11187
- CVE-2024-12087
- CVE-2024-12088
- CVE-2024-12133
- CVE-2024-12243
- CVE-2024-12747
- CVE-2024-13484
- CVE-2024-24788
- CVE-2024-24790
- CVE-2024-24791
- CVE-2024-52005
- CVE-2024-56171
- CVE-2024-57083
- CVE-2025-0395
- CVE-2025-22868
- CVE-2025-22869
- CVE-2025-24528
- CVE-2025-24928
- CVE-2025-26465
- CVE-2025-30204
- CVE-2025-47933
aarch64
| openshift-gitops-1/argo-rollouts-rhel8@sha256:d72734b90db1ce7201a96c524ac571c87a49da09ff4d318f68ae6852c6d16b76 |
| openshift-gitops-1/argocd-rhel8@sha256:d238690e3827286b7aba7f7d259ec0aaae1ae3fe923c56b00c742ec8737a7c8c |
| openshift-gitops-1/argocd-rhel9@sha256:9e0f1ba8a30ad561367651c67f641fd0053f45d17bb175f9f6889f8461bae790 |
| openshift-gitops-1/console-plugin-rhel8@sha256:49d66633f974c5ce83a09bca0a69538271b4991f1e7df4b35e2d7fb2540188f7 |
| openshift-gitops-1/dex-rhel8@sha256:455f5ae73a9f061ee99f914544abbfef7a5b902179fdaf956802edcee20d767a |
| openshift-gitops-1/gitops-rhel8@sha256:e7e7dba53756f1053ca385b6c279889c9c87bf05adc604b77619fec12c582f99 |
| openshift-gitops-1/gitops-rhel8-operator@sha256:8181401cb43af84059707ab096fa7f0599a251aadc4f7d53bb38098b5e7dd752 |
| openshift-gitops-1/kam-delivery-rhel8@sha256:aa624fcfd4bd94f512dcb1c3e626049f5ab2c7b6babde284c9b800420e315697 |
| openshift-gitops-1/must-gather-rhel8@sha256:589a8d9e59219c7cceafb4c0abc3d0e8e90857a625d9dc6a11c7b3ed92fa509e |
ppc64le
| openshift-gitops-1/argo-rollouts-rhel8@sha256:dbdb2e380a47e55c12c4c4fea9fc4b69f9073ef00138dd82923dc095250d4db6 |
| openshift-gitops-1/argocd-rhel8@sha256:7c537c7cf6a0432646b7ab05ee73e0977f5f3b7b0fd3d6be37c02f9396a1d737 |
| openshift-gitops-1/console-plugin-rhel8@sha256:c3c850aa2526b48853e27a808b3565dcfd133770229be259b60fb9286f8f5d2e |
| openshift-gitops-1/dex-rhel8@sha256:f32c097916c50ab0718ec75c1bf6ea12abc99b1b29e4cb3ece122fa4112e6a42 |
| openshift-gitops-1/gitops-rhel8@sha256:8989ea6a8e7cb8a7ef64635fcf28c9b800c9287411071444f8fb358df832fe38 |
| openshift-gitops-1/gitops-rhel8-operator@sha256:a3c3733bb827d469b5f51b9804a1515a13f58dd21e9f436bbdd0df280bb49f93 |
| openshift-gitops-1/kam-delivery-rhel8@sha256:78c9599b4298cb6dcb59c871c52bd4b0e135fc03c723fa1d02ce584193ac14c7 |
| openshift-gitops-1/must-gather-rhel8@sha256:0db60917a32763220ae442c97b1e199b1dd0a713db0ae0a8fe11dfe392e9bd63 |
s390x
| openshift-gitops-1/argo-rollouts-rhel8@sha256:23a8aac6d2e009bbba4b0bd7beec63306f0c1509f34d2dd8ab8a611011dc17dd |
| openshift-gitops-1/argocd-rhel8@sha256:30d63e8254a436279fc5e11c5bf7b62d85502acc221d4207fd70a15e54a7ee16 |
| openshift-gitops-1/console-plugin-rhel8@sha256:0512fba38410f128d3137fa397281b5ca95b76943dd51fcf78a7feacbb16d96b |
| openshift-gitops-1/dex-rhel8@sha256:e7f8db64e7c7a2ae31caf2f54c60debc803acacc7f0df18e49c246f3f878557e |
| openshift-gitops-1/gitops-rhel8@sha256:e8b3e42c2ca79b6665920f9a739461f94937e511c2e7ccf60da338460084de0f |
| openshift-gitops-1/gitops-rhel8-operator@sha256:57388b8ed2c018728f7efed7d355fa1ac066d19c224a27a7517a2fba01c5d3f6 |
| openshift-gitops-1/kam-delivery-rhel8@sha256:2e641073b54b27f405def00c4b8731cbf9cdffe2ed8f89c9c29782c18fb55b67 |
| openshift-gitops-1/must-gather-rhel8@sha256:e8ab6cd8d0bb3464eb21b54580af300e43bf8b7d5ff66d99eb30abd586c0f198 |
x86_64
| openshift-gitops-1/argo-rollouts-rhel8@sha256:fdb7dba204200801073ff293ad3842c6ae48b6decafae292729ad7d571e90f19 |
| openshift-gitops-1/argocd-rhel8@sha256:cb5b95895261589a9845628f6ba2f0d8bea6bde9908ed8d49c3e4ae24d447f50 |
| openshift-gitops-1/argocd-rhel9@sha256:b7c3bb5d3cbde94a34aa0244bb0362e7069a3de221dec6b8b820c0d235bd76fe |
| openshift-gitops-1/console-plugin-rhel8@sha256:8dc71e6ebd38cb2e54de2cc2c13717e170944598b206e332d799acb5bd411a40 |
| openshift-gitops-1/dex-rhel8@sha256:bd801415cb506c52d03a390323c098c7fa8f99af1895301708d1a0a56f72b215 |
| openshift-gitops-1/gitops-operator-bundle@sha256:773592dfb9964970f444871a8812e8b74db3f205faaa0bf148defa1a2b87b649 |
| openshift-gitops-1/gitops-rhel8@sha256:fa82571fbf077de163d8d56d9d587971f5179740e9455e9e7bd6bc62b0330ba3 |
| openshift-gitops-1/gitops-rhel8-operator@sha256:97603cb305c6ff71a01aef4c494ca4e4b013bb1f55e4a98c99734d57fb03f4f8 |
| openshift-gitops-1/kam-delivery-rhel8@sha256:cec57b21fa14774d14295464b3344c0517f24b72cef6e4360f55fdb350366557 |
| openshift-gitops-1/must-gather-rhel8@sha256:87c02c7ae9f6be6e8159bb23d18d9c6e4625d28a8309e43fa60b51a168266051 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
