CVE-2023-23947

Name of the Vulnerable Software and Affected Versions Argo CD versions 2.3.0-rc1 through 2.3.16 Argo CD versions 2.4.0 through 2.4.22 Argo CD versions 2.5.0 through 2.5.10 Argo CD versions 2.6.0 through 2.6.1

Description The issue is related to an improper authorization bug in Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. This bug allows users who have the ability to update at least one cluster secret to update any cluster secret. An attacker could use this access to escalate privileges, potentially controlling Kubernetes resources, or to break Argo CD functionality by preventing connections to external clusters. The vulnerability can be exploited by an attacker who is authenticated with the Argo CD API server and has access to update at least one cluster configuration. The attacker can craft a malicious request to the Argo CD API server, potentially allowing them to manage out-of-bounds resources, disable certificate verification for TLS connections, or apply an invalid configuration to achieve a denial-of-service.

Recommendations For Argo CD versions 2.3.0-rc1 through 2.3.16, update to version 2.3.17. For Argo CD versions 2.4.0 through 2.4.22, update to version 2.4.23. For Argo CD versions 2.5.0 through 2.5.10, update to version 2.5.11. For Argo CD versions 2.6.0 through 2.6.1, update to version 2.6.2. As a temporary workaround, consider modifying the RBAC configuration to completely revoke all clusters, update access. Alternatively, use the destinations and clusterResourceWhitelist fields to apply similar restrictions as the namespaces and clusterResources fields.