Lucene search

GoogleOSV:GHSA-FWR2-64VR-XV9M

HistorySep 11, 2023 - 12:59 p.m.

Argo CD cluster secret might leak in cluster details page

2023-09-1112:59:30

Google

osv.dev

argo cd

cluster

secret

exposure

risk

patches

workarounds

kubectl

annotation

rbac

api

issue tracker

discussions

slack

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

40.0%

JSON

Impact

Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored inkubectl.kubernetes.io/last-applied-configuration annotation.

https://github.com/argoproj/argo-cd/pull/7139 introduced the ability to manage cluster labels and annotations. Since clusters are stored as secrets it also exposes the kubectl.kubernetes.io/last-applied-configuration annotation which includes full secret body. In order to view the cluster annotations via the Argo CD API, the user must have clusters, get RBAC access.

Note: In many cases, cluster secrets do not contain any actually-secret information. But sometimes, as in bearer-token auth, the contents might be very sensitive.

Patches

The bug has been patched in the following versions:

2.8.3
2.7.14
2.6.15

Workarounds

Update/Deploy cluster secret with server-side-apply flag which does not use or rely on kubectl.kubernetes.io/last-applied-configuration annotation. Note: annotation for existing secrets will require manual removal.