CVE-2023-23947
published 2023-02-16CVE-2023-23947: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and…
PriorityP350high8.5CVSS 3.1
AVNACHPRLUINSCCHIHAH
EPSS
0.67%
47.4th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters). A patch for this vulnerability has been released in Argo CD versions 2.6.2, 2.5.11, 2.4.23, and 2.3.17. Two workarounds are available. Either modify the RBAC configuration to completely revoke all `clusters, update` access, or use the `destinations` and `clusterResourceWhitelist` fields to apply similar restrictions as the `namespaces` and `clusterResources` fields.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | >= 2.3.0 < 2.3.17 | 2.3.17 |
| argoproj | argo_cd | >= 2.4.0 < 2.4.23 | 2.4.23 |
| argoproj | argo_cd | >= 2.5.0 < 2.5.11 | 2.5.11 |
| argoproj | argo_cd | >= 2.6.0 < 2.6.2 | 2.6.2 |
| github.com | argoproj_argo-cd | >= 2.3.0 < 2.3.17 | 2.3.17 |
| github.com | argoproj_argo-cd | >= 2.4.0 < 2.4.23 | 2.4.23 |
| github.com | argoproj_argo-cd | >= 2.5.0 < 2.5.11 | 2.5.11 |
| github.com | argoproj_argo-cd | >= 2.6.0 < 2.6.2 | 2.6.2 |
| github.com | argoproj_argo-cd_v2 | >= 2.3.0 < 2.3.17 | 2.3.17 |
| github.com | argoproj_argo-cd_v2 | >= 2.4.0 < 2.4.23 | 2.4.23 |
| github.com | argoproj_argo-cd_v2 | >= 2.5.0 < 2.5.11 | 2.5.11 |
| github.com | argoproj_argo-cd_v2 | >= 2.6.0 < 2.6.2 | 2.6.2 |
CVSS provenance
nvdv3.18.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
vendor_redhat9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Users with any cluster secret update access may update out-of-bounds cluster secrets in github.com/argoproj/argo-cd
osv·2024-08-20
CVE-2023-23947 Users with any cluster secret update access may update out-of-bounds cluster secrets in github.com/argoproj/argo-cd
Users with any cluster secret update access may update out-of-bounds cluster secrets in github.com/argoproj/argo-cd
Users with any cluster secret update access may update out-of-bounds cluster secrets in github.com/argoproj/argo-cd
OSV
Users with any cluster secret update access may update out-of-bounds cluster secrets
osv·2023-02-16
CVE-2023-23947 [CRITICAL] Users with any cluster secret update access may update out-of-bounds cluster secrets
Users with any cluster secret update access may update out-of-bounds cluster secrets
### Impact
All Argo CD versions starting with v2.3.0-rc1 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret.
The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters).
#### How the Attack Works
Argo CD stores [cluster access configurations](https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters) as Kubernetes Secrets. To take advantage of the vulnerability, an attacker must know the server URL for the cluster secret they want to modify.
The
GHSA
Users with any cluster secret update access may update out-of-bounds cluster secrets
ghsa·2023-02-16
CVE-2023-23947 [CRITICAL] CWE-863 Users with any cluster secret update access may update out-of-bounds cluster secrets
Users with any cluster secret update access may update out-of-bounds cluster secrets
### Impact
All Argo CD versions starting with v2.3.0-rc1 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret.
The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters).
#### How the Attack Works
Argo CD stores [cluster access configurations](https://argo-cd.readthedocs.io/en/stable/operator-manual/declarative-setup/#clusters) as Kubernetes Secrets. To take advantage of the vulnerability, an attacker must know the server URL for the cluster secret they want to modify.
The
Red Hat
ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets
vendor_redhat·2023-02-16·CVSS 9.1
CVE-2023-23947 [CRITICAL] ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets
ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters). A patch for this vulnerability has been released in Argo CD versions 2.6.2, 2.5.11, 2.4.23, and 2.3.17. Two workarounds are available. Either modify the RBAC configuration to completely revoke all
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/argoproj/argo-cd/commit/fbb0b99b1ac3361b253052bd30259fa43a520945https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8jhttps://github.com/argoproj/argo-cd/commit/fbb0b99b1ac3361b253052bd30259fa43a520945https://github.com/argoproj/argo-cd/security/advisories/GHSA-3jfq-742w-xg8j
2023-02-16
Published