CVE-2023-40029

Name of the Vulnerable Software and Affected Versions Argo CD versions prior to 2.6.15 Argo CD versions prior to 2.7.14 Argo CD versions prior to 2.8.3

Description Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply, resulting in the full secret body being stored in the kubectl.kubernetes.io/last-applied-configuration annotation. This exposes the annotation, which includes the full secret body, when managing cluster labels and annotations. To view cluster annotations via the Argo CD API, a user must have clusters, get RBAC access. In many cases, cluster secrets do not contain sensitive information, but sometimes, as in bearer-token auth, the contents might be very sensitive.

Recommendations For versions prior to 2.6.15, upgrade to version 2.6.15 or later. For versions prior to 2.7.14, upgrade to version 2.7.14 or later. For versions prior to 2.8.3, upgrade to version 2.8.3 or later. As a temporary workaround, update/deploy cluster secret with the server-side-apply flag, which does not use or rely on the kubectl.kubernetes.io/last-applied-configuration annotation. Note that annotations for existing secrets will require manual removal.