Crenshaw-Dev

**Name of the Vulnerable Software and Affected Versions** Argo CD versions prior to 2.11.3 Argo CD versions prior to 2.10.12 Argo CD versions prior to 2.9.17 **Description** Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This issue can be exploited by sending requests to specific API endpoints, such as 'https://localhost:8080/api/v1/clusters/in-cluster?id.type=name', and analyzing the error messages returned. **Recommendations** For versions prior to 2.11.3, update to version 2.11.3 or later. For versions prior to 2.10.12, update to version 2.10.12 or later. For versions prior to 2.9.17, update to version 2.9.17 or later. As a temporary workaround, consider restricting access to the `api/v1/clusters` endpoint until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions prior to 2.10.7 Argo CD versions prior to 2.9.12 Argo CD versions prior to 2.8.16 **Description** Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces, which allows attackers to use the UI to edit resources that should only be mutable via gitops. An attacker can exploit this by creating an Application in a specific namespace, changing its project, and then using the UI to edit the resource. **Recommendations** For versions prior to 2.10.7, update to version 2.10.7 or later. For versions prior to 2.9.12, update to version 2.9.12 or later. For versions prior to 2.8.16, update to version 2.8.16 or later. As a temporary workaround, consider restricting access to the UI for editing resources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions prior to 2.10.8 Argo CD versions prior to 2.9.13 Argo CD versions prior to 2.8.17 **Description** The issue is related to a Denial of Service (DoS) vulnerability via Out of Memory (OOM) using jq in ignoreDifferences. This vulnerability can be exploited by a remote attacker, allowing them to cause a service disruption. The vulnerability is associated with uncontrolled resource consumption when processing the `jqPathExpressions` parameter. **Recommendations** For versions prior to 2.10.8, update to version 2.10.8 or later. For versions prior to 2.9.13, update to version 2.9.13 or later. For versions prior to 2.8.17, update to version 2.8.17 or later. As a temporary workaround, consider restricting the use of the `jqPathExpressions` parameter in the `ignoreDifferences` configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions 1.2.0-rc1 through 2.10.2 Argo CD versions 1.2.0-rc1 through 2.9.7 Argo CD versions 1.2.0-rc1 through 2.8.11 **Description** The issue is related to improper validation in Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. This allows users with `create` privileges but not `override` privileges to sync local manifests on app creation, bypassing the restriction that the manifests come from some approved git/Helm/OCI source. The "local sync" feature, which allows developers to temporarily override an Application's manifests with locally-defined manifests, is affected. This feature should generally be limited to highly-trusted users, as it allows the user to bypass any merge protections in git. **Recommendations** For Argo CD versions 1.2.0-rc1 through 2.10.2, upgrade to version 2.10.3. For Argo CD versions 1.2.0-rc1 through 2.9.7, upgrade to version 2.9.8. For Argo CD versions 1.2.0-rc1 through 2.8.11, upgrade to version 2.8.12. As a temporary workaround, consider removing `applications, create` RBAC access to mitigate the risk of branch protection bypass.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions prior to 2.3 **Description** Argo CD is a declarative continuous deployment framework for Kubernetes. The issue allows an attacker to reference external Helm charts handled by the same repo-server to leak values or files from the referenced Helm Chart using a specifically-crafted Helm file. This is possible because Helm paths were predictable, allowing an attacker to add a Helm chart that references Helm resources from predictable paths. As a result, it is possible to reference and render the values and resources from other existing Helm charts, regardless of permissions. Although secrets are generally not stored in these files, it is still possible to reference any values from these charts. **Recommendations** For Argo CD versions prior to 2.3, update to a supported version. If updating is not possible, consider disabling Helm chart rendering or using an additional repo-server for each Helm chart to prevent possible exploitation.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions 2.3.0-rc1 through 2.3.16 Argo CD versions 2.4.0 through 2.4.22 Argo CD versions 2.5.0 through 2.5.10 Argo CD versions 2.6.0 through 2.6.1 **Description** The issue is related to an improper authorization bug in Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. This bug allows users who have the ability to update at least one cluster secret to update any cluster secret. An attacker could use this access to escalate privileges, potentially controlling Kubernetes resources, or to break Argo CD functionality by preventing connections to external clusters. The vulnerability can be exploited by an attacker who is authenticated with the Argo CD API server and has access to update at least one cluster configuration. The attacker can craft a malicious request to the Argo CD API server, potentially allowing them to manage out-of-bounds resources, disable certificate verification for TLS connections, or apply an invalid configuration to achieve a denial-of-service. **Recommendations** For Argo CD versions 2.3.0-rc1 through 2.3.16, update to version 2.3.17. For Argo CD versions 2.4.0 through 2.4.22, update to version 2.4.23. For Argo CD versions 2.5.0 through 2.5.10, update to version 2.5.11. For Argo CD versions 2.6.0 through 2.6.1, update to version 2.6.2. As a temporary workaround, consider modifying the RBAC configuration to completely revoke all `clusters, update` access. Alternatively, use the `destinations` and `clusterResourceWhitelist` fields to apply similar restrictions as the `namespaces` and `clusterResources` fields.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions 2.6.0-rc1 through 2.6.0 **Description** The issue is related to an output sanitization bug in Argo CD, which leaks repository access credentials in error messages. These error messages are visible to the user and are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API. The user must have `applications, create` or `applications, update` RBAC access to reach the code that may produce the error. **Recommendations** For versions 2.6.0-rc1 through 2.6.0, upgrade to version 2.6.1 to resolve the issue. To mitigate the issue, ensure that your repository credentials have only the least necessary privileges. Enable commit signature verification to prevent malicious commits from being synced. Enforce least privileges in Argo CD RBAC, ensuring users only have `repositories, update`, `applications, update`, or `applications, create` access if they absolutely need it.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions 0.4.0 through 2.2.10 Argo CD versions 2.3.0 through 2.3.5 Argo CD versions 2.4.0 through 2.4.4 **Description** The issue is related to an improper certificate validation bug in Argo CD, which could cause it to trust a malicious OpenID Connect (OIDC) provider. This bug affects connections to OIDC providers and can be exploited by an attacker to conduct spoofing attacks. The vulnerability is related to the skipping of certificate verification when communicating with the OIDC provider, which opens Argo CD to various risks, such as a machine-in-the-middle attack. **Recommendations** For Argo CD versions 0.4.0 through 2.2.10, update to version 2.2.11 or later. For Argo CD versions 2.3.0 through 2.3.5, update to version 2.3.6 or later. For Argo CD versions 2.4.0 through 2.4.4, update to version 2.4.5 or later. As a temporary workaround for users of an external OIDC provider, consider setting the `oidc.config.rootCA` field in the `argocd-cm` ConfigMap to force certificate validation when the API server handles login flows.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions 0.11.0 through 2.4.0 Argo CD versions 2.1.0 through 2.1.15 Argo CD versions 2.2.0 through 2.2.9 Argo CD versions 2.3.0 through 2.3.4 **Description** The issue is related to the use of insufficiently random values in parameters in Oauth2/OIDC login flows, making it possible for an attacker to gain admin access to Argo CD. The attacks are difficult to accomplish but can have a high impact. The vulnerabilities are due to the use of a relatively-predictable seed in a non-cryptographically-secure pseudo-random number generator, and in some cases, using too short a value made the entropy even less sufficient. The vulnerable parameters include the `state` parameter, `code verifier` parameter, and `nonce` parameter. **Recommendations** For Argo CD versions 0.11.0 through 2.1.15, update to version 2.1.16 or later. For Argo CD versions 2.2.0 through 2.2.9, update to version 2.2.10 or later. For Argo CD versions 2.3.0 through 2.3.4, update to version 2.3.5 or later. For Argo CD versions 2.4.0 and earlier, update to version 2.4.1 or later. As a temporary workaround, consider restricting access to the Oauth2/OIDC login flows until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Argo CD versions 0.7.0 through 2.1.14 Argo CD versions 2.2.0 through 2.2.8 Argo CD versions 2.3.0 through 2.3.3 **Description** Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A malicious user with repository write access can leak sensitive files from Argo CD's repo-server due to a symlink following bug. This can include manifest files from other Applications' source repositories or any JSON-formatted secrets mounted as files on the repo-server. A malicious Argo CD user with write access for a repository which is (or may be) used in a directory-type Application may commit a symlink which points to an out-of-bounds file. Sensitive files which could be leaked include manifest files from other Applications' source repositories (potentially decrypted files, if you are using a decryption plugin) or any JSON-formatted secrets which have been mounted as files on the repo-server. **Recommendations** For versions 0.7.0 through 2.1.14, upgrade to version 2.1.15 or later. For versions 2.2.0 through 2.2.8, upgrade to version 2.2.9 or later. For versions 2.3.0 through 2.3.3, upgrade to version 2.3.4 or later. As a temporary workaround for users of versions 2.3.0 or above who do not have any Jsonnet/directory-type Applications, consider disabling the Jsonnet/directory config management tool by setting `jsonnet.enable` to false. Restrict access to sensitive files and limit who has push access to manifest repositories. Limit who is allowed to configure new source repositories and restrict user access to only the necessary Projects. Avoid mounting JSON-formatted secrets as files on the repo-server.