CVE-2023-23947: Critical security bypass vulnerability in Argo CD

A critical-severity security vulnerability in Argo CD could allow an attacker to update out-of-bounds cluster secrets, and escalate privileges or break Argo CD functionality.

Tracked as CVE-2023-23947 (CVSS score of 9.1), the vulnerability exists due to improper authorization. The issue was introduced in Argo CD version v2.3.0-rc1 when Argo CD stores cluster access configurations as Kubernetes Secrets.

Argo CD, a popular open-source GitOps continuous delivery tool for Kubernetes, is used to monitor running applications and compares their live state, helping administrators synchronize applications with their desired state.

“To take advantage of the vulnerability, an attacker must know the server URL for the cluster secret they want to modify. The attacker must be authenticated with the Argo CD API server, and they must be authorized to update at least one (non project-scoped) cluster. Then they must craft a malicious request to the Argo CD API server,” the Argo CD team explained.

The CVE-2023-23947 flaw was resolved with the release of Argo CD versions 2.3.17, 2.4.23, 2.5.11, and 2.6.2.

Argo CD users are advised to update to a patched version of the platform as soon as possible. Mitigation methods include limiting users with cluster update access and restricting resource management via AppProjects and RBAC.

Last month, Argo CD also fixed a critical bypass security restriction (CVE-2023-22482) that an attacker could exploit this vulnerability to allow the API to accept certain invalid tokens.