CVE-2022-1025

Name of the Vulnerable Software and Affected Versions Argo CD versions 1.0.0 and earlier Argo CD versions 0.8.0 through 0.9.x Argo CD versions 0.5.0 through 0.7.x

Description The issue is related to an improper access control bug in Argo CD, allowing a malicious user to potentially escalate their privileges to admin-level. This can be achieved if the user has push access to an Application's source git or Helm repository or sync and override access to an Application. The exploitation levels vary depending on the user's other RBAC privileges, including update, delete, get, and action access to Applications. A related exploit is possible for a user with get access to an Application, allowing them to access any Event in the Application's destination cluster if they know the involved object's name, UID, and namespace.

Recommendations For versions 2.0.x and earlier, upgrade to a newer version, such as v2.3.2, v2.2.8, or v2.1.14, by following the upgrade instructions in the changelog. For argo-helm chart users deploying v2.3.x, upgrade the chart to version 4.2.2. For Argo CD 2.2 and 2.1 users, set the global.image.tag value to the latest in the current release series (v2.2.8 or v2.1.14). As a temporary workaround, consider limiting who has push access to Application source repositories or sync and override access to Applications, and limiting which repositories are available in projects where users have update access to Applications. Limit who has delete, get, or action access to Applications to avoid unauthorized resource inspection/tampering.