CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS
Percentile
40.0%
A flaw was found in the ArgoCD package, used by Red Hat GitOps, that allows cluster secrets to be managed declaratively using the kubectl apply
functionality, resulting in the full secret body being stored in kubectl.kubernetes.io/last-applied-configuration
annotation. Since ArgoCD has included the ability to manage cluster labels and annotations via its API, an attacker can retrieve sensitive authentication information by leveraging this capability, imposing a high impact on data confidentiality and integrity for the targeted ArgoCD cluster. To perform a successful attack, the malicious actor should have clusters, get
RBAC access granted to its user.
Update/deploy the cluster secret with theserver-side-apply
flag, which does not use or rely on the kubectl.kubernetes.io/last-applied-configuration
<http://kubectl.kubernetes.io/last-applied-configuration>; annotation.
Note: Annotation for existing secrets will require manual removal.