CVE-2023-40026

Name of the Vulnerable Software and Affected Versions Argo CD versions prior to 2.3

Description Argo CD is a declarative continuous deployment framework for Kubernetes. The issue allows an attacker to reference external Helm charts handled by the same repo-server to leak values or files from the referenced Helm Chart using a specifically-crafted Helm file. This is possible because Helm paths were predictable, allowing an attacker to add a Helm chart that references Helm resources from predictable paths. As a result, it is possible to reference and render the values and resources from other existing Helm charts, regardless of permissions. Although secrets are generally not stored in these files, it is still possible to reference any values from these charts.

Recommendations For Argo CD versions prior to 2.3, update to a supported version. If updating is not possible, consider disabling Helm chart rendering or using an additional repo-server for each Helm chart to prevent possible exploitation.