Argo CD 2.8.3 Reveals Cluster Secrets via last-applied-configuration
CVE-2023-40029 Published on September 7, 2023

Cluster secret might leak in cluster details page in Argo CD
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configuration` annotation. pull request #7139 introduced the ability to manage cluster labels and annotations. Since clusters are stored as secrets it also exposes the `kubectl.kubernetes.io/last-applied-configuration` annotation which includes full secret body. In order to view the cluster annotations via the Argo CD API, the user must have `clusters, get` RBAC access. **Note:** In many cases, cluster secrets do not contain any actually-secret information. But sometimes, as in bearer-token auth, the contents might be very sensitive. The bug has been patched in versions 2.8.3, 2.7.14, and 2.6.15. Users are advised to upgrade. Users unable to upgrade should update/deploy cluster secret with `server-side-apply` flag which does not use or rely on `kubectl.kubernetes.io/last-applied-configuration` annotation. Note: annotation for existing secrets will require manual removal.

Github Repository NVD

Vulnerability Analysis

CVE-2023-40029 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2023-40029. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

NONE

Scope:

CHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

HIGH

Availability Impact:

LOW

Weakness Type

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2023-40029 has been classified to as an Information Disclosure vulnerability or weakness.

Products Associated with CVE-2023-40029

stack.watch emails you whenever new vulnerabilities are published in Linux Foundation Argo Continuous Delivery or Argoproj Argo Cd. Just hit a watch button to start following.

Linux Foundation Argo Continuous Delivery

Argoproj Argo Cd

Affected Versions

argoproj argo-cd:

Version >= 2.2.0, < 2.6.15 is affected.
Version >= 2.7.0, < 2.7.14 is affected.
Version >= 2.8.0, < 2.8.3 is affected.

Exploit Probability

EPSS

1.00%

Percentile

76.82%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.