CVE-2023-50726

Name of the Vulnerable Software and Affected Versions Argo CD versions 1.2.0-rc1 through 2.10.2 Argo CD versions 1.2.0-rc1 through 2.9.7 Argo CD versions 1.2.0-rc1 through 2.8.11

Description The issue is related to improper validation in Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. This allows users with create privileges but not override privileges to sync local manifests on app creation, bypassing the restriction that the manifests come from some approved git/Helm/OCI source. The "local sync" feature, which allows developers to temporarily override an Application's manifests with locally-defined manifests, is affected. This feature should generally be limited to highly-trusted users, as it allows the user to bypass any merge protections in git.

Recommendations For Argo CD versions 1.2.0-rc1 through 2.10.2, upgrade to version 2.10.3. For Argo CD versions 1.2.0-rc1 through 2.9.7, upgrade to version 2.9.8. For Argo CD versions 1.2.0-rc1 through 2.8.11, upgrade to version 2.8.12. As a temporary workaround, consider removing applications, create RBAC access to mitigate the risk of branch protection bypass.