argo-cd Controller reconciles apps outside configured namespaces when sharding is enabled
CVE-2023-22736

8.6HIGH

Key Information:

Vendor: Argoproj
Status: Argo-cd
Vendor: CVE Published:; 26 January 2023

What is CVE-2023-22736?

Argo CD, a continuous delivery tool for Kubernetes, is affected by an authorization bypass vulnerability that allows users to deploy applications in unauthorized namespaces. If sharding is enabled and the 'apps-in-any-namespace' feature is configured, the Application controller may reconcile applications outside the allowed configurations. This vulnerability occurs when the namespaces are set to a pattern like 'argocd-*', enabling access to other namespaces if a valid AppProject is present. A patch is available in versions 2.5.8 and 2.6.0-rc5, and organizations should consider restricting AppProjects and limiting Application controller replicas to mitigate risk.

Affected Version(s)

argo-cd >= 2.5.0=rc1, < 2.5.8 < 2.5.0rc1, 2.5.8

argo-cd = 2.6.0-rc4, < 2.6.0-rc5 < 2.6.0-rc4, 2.6.0-rc5

References

https://github.com/argoproj/argo-cd/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 26, 2023
Vulnerability Reserved
Jan 6, 2023

Argoproj

What is CVE-2023-22736?

Affected Version(s)

References

CVSS V3.1

Timeline