Argo CD is a popular Continuous Deployment tool that enables DevOps teams to manage their applications across multiple environments. However, in the past two weeks, three critical vulnerabilities have been detected in the tool, exposing sensitive information and compromising the security of the system. In this article, we will discuss the three vulnerabilities and their impact on the system, as well as the patches and workarounds available. Let’s dive into it!
The first vulnerability (CVE-2023-22736) is a high severity issue that allows for an authorization bypass. This vulnerability occurs when the application controller does not enforce the reconciled application namespaces list when sharding is enabled. As a result, a malicious Argo CD user can deploy applications outside of the configured allowed namespaces. This vulnerability affects all Argo CD versions starting with 2.5.0-rc1 and is limited to users who have enabled the “apps-in-any-namespace” feature. Patches have been released in Argo CD versions 2.5.8 and 2.6.0-rc5 to fix this issue.
The second vulnerability (CVE-2023-22482) is a critical issue that is caused by improper authorization. This vulnerability occurs when Argo CD does not validate the audience claim in signed tokens, resulting in the API accepting invalid tokens. If the OIDC provider also serves other audiences, Argo CD will accept tokens intended for those audiences and grant the user privileges based on the token’s groups claim. This issue affects all versions of Argo CD starting with v1.8.2. Patches have been released in Argo CD versions 2.6.0-rc5, 2.5.8, 2.4.20, and 2.3.14. The patch introduces a new “allowedAudiences” feature to the OIDC config block, allowing users to specify the audiences they want to allow.
The third vulnerability (CVE-2023-25163) is a moderate severity issue that results in the leakage of repository access credentials in error messages. This vulnerability affects all versions of Argo CD starting with v2.6.0-rc1 and occurs when output sanitization is not properly done, leading to the leakage of sensitive information in error messages. This issue can be resolved by upgrading to a newer version of Argo CD.
In conclusion, these recent vulnerabilities highlight the importance of API security and the need for companies to focus on securing their APIs. While these issues are a cause for concern for Argo CD users, it is worth noting that Wallarm customers are protected against these vulnerabilities. With the octopus being the Argo CD logo, it’s important to have a strong defense against any potential “octo-attacks.”