CVE-2023-40029 Cluster secret might leak in cluster details page in Argo CD

2023-09-0722:11:56

CWE-200

GitHub_M

www.cve.org

argo cd

kubernetes

cve-2023-40029

cluster secrets

rbac access

patched

server-side-apply

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

AI Score

9.5

Confidence

High

EPSS

0.001

Percentile

40.0%

JSON

Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored inkubectl.kubernetes.io/last-applied-configuration annotation. pull request #7139 introduced the ability to manage cluster labels and annotations. Since clusters are stored as secrets it also exposes the kubectl.kubernetes.io/last-applied-configuration annotation which includes full secret body. In order to view the cluster annotations via the Argo CD API, the user must have clusters, get RBAC access. Note: In many cases, cluster secrets do not contain any actually-secret information. But sometimes, as in bearer-token auth, the contents might be very sensitive. The bug has been patched in versions 2.8.3, 2.7.14, and 2.6.15. Users are advised to upgrade. Users unable to upgrade should update/deploy cluster secret with server-side-apply flag which does not use or rely on kubectl.kubernetes.io/last-applied-configuration annotation. Note: annotation for existing secrets will require manual removal.

CNA Affected

[
  {
    "vendor": "argoproj",
    "product": "argo-cd",
    "versions": [
      {
        "version": ">= 2.2.0, < 2.6.15",
        "status": "affected"
      },
      {
        "version": ">= 2.7.0, < 2.7.14",
        "status": "affected"
      },
      {
        "version": ">= 2.8.0, < 2.8.3",
        "status": "affected"
      }
    ]
  }
]