Argo CD users with any cluster secret update access may update out-of-bounds cluster secrets
CVE-2023-23947

9.1CRITICAL

Key Information:

Vendor: Argoproj
Status: Argo-cd
Vendor: CVE Published:; 16 February 2023

What is CVE-2023-23947?

Argo CD, a continuous delivery tool for Kubernetes, has a vulnerability that occurs in all versions starting from 2.3.0-rc1 up to 2.3.16, 2.4.0 to 2.4.22, 2.5.0 to 2.5.10, and 2.6.0 to 2.6.1. An improper authorization flaw enables users with the ability to update any cluster secret if they can update at least one. This could lead to privilege escalation, allowing unauthorized control of Kubernetes resources or disrupting Argo CD functionality by severing connections with external clusters. Users are urged to upgrade to patched versions 2.3.17, 2.4.23, 2.5.11, or 2.6.2. As interim solutions, users can restrict access by adjusting RBAC configurations or applying restrictions similar to the namespaces and clusterResources fields.

Affected Version(s)

argo-cd >= 2.3.0-rc1, < 2.3.17 < 2.3.0-rc1, 2.3.17

argo-cd >= 2.4.0, < 2.4.23 < 2.4.0, 2.4.23

argo-cd >= 2.5.0, < 2.5.11 < 2.5.0, 2.5.11

References

https://github.com/argoproj/argo-cd/security/advisories/G...

x_refsource_CONFIRM

https://github.com/argoproj/argo-cd/commit/fbb0b99b1ac336...

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 16, 2023
Vulnerability Reserved
Jan 19, 2023

Argoproj

What is CVE-2023-23947?

Affected Version(s)

References

CVSS V3.1

Timeline