Cluster secret might leak in cluster details page in Argo CD
CVE-2023-40029

9.9CRITICAL

Key Information:

Vendor: Argoproj
Status: Argo-cd
Vendor: CVE Published:; 7 September 2023

What is CVE-2023-40029?

Argo CD, a continuous deployment tool for Kubernetes, exposes potentially sensitive information through the kubectl.kubernetes.io/last-applied-configuration annotation. This issue arises when cluster secrets are managed declaratively, which can unintentionally store sensitive data, such as bearer tokens, in locations accessible by users with specific RBAC permissions. It is crucial for users to upgrade to the patched versions (2.8.3, 2.7.14, and 2.6.15) or apply best practices by deploying secrets with the server-side-apply flag to mitigate this risk effectively.

Affected Version(s)

argo-cd >= 2.2.0, < 2.6.15 < 2.2.0, 2.6.15

argo-cd >= 2.7.0, < 2.7.14 < 2.7.0, 2.7.14

argo-cd >= 2.8.0, < 2.8.3 < 2.8.0, 2.8.3

References

https://github.com/argoproj/argo-cd/security/advisories/G...

x_refsource_CONFIRM

https://github.com/argoproj/argo-cd/pull/7139

x_refsource_MISC

https://github.com/argoproj/argo-cd/commit/4b2e5b06bff2ff...

x_refsource_MISC

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 7, 2023
Vulnerability Reserved
Aug 8, 2023

Argoproj

What is CVE-2023-40029?

Affected Version(s)

References

CVSS V3.1

Timeline