Argo CD users with any cluster secret update access may update out-of-bounds cluster secrets
CVE-2023-23947
What is CVE-2023-23947?
Argo CD, a continuous delivery tool for Kubernetes, has a vulnerability that occurs in all versions starting from 2.3.0-rc1 up to 2.3.16, 2.4.0 to 2.4.22, 2.5.0 to 2.5.10, and 2.6.0 to 2.6.1. An improper authorization flaw enables users with the ability to update any cluster secret if they can update at least one. This could lead to privilege escalation, allowing unauthorized control of Kubernetes resources or disrupting Argo CD functionality by severing connections with external clusters. Users are urged to upgrade to patched versions 2.3.17, 2.4.23, 2.5.11, or 2.6.2. As interim solutions, users can restrict access by adjusting RBAC configurations or applying restrictions similar to the namespaces and clusterResources fields.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
argo-cd >= 2.3.0-rc1, < 2.3.17 < 2.3.0-rc1, 2.3.17
argo-cd >= 2.4.0, < 2.4.23 < 2.4.0, 2.4.23
argo-cd >= 2.5.0, < 2.5.11 < 2.5.0, 2.5.11
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved