First published: Mon Aug 21 2023(Updated: )
### Impact Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configuration` annotation. https://github.com/argoproj/argo-cd/pull/7139 introduced the ability to manage cluster labels and annotations. Since clusters are stored as secrets it also exposes the `kubectl.kubernetes.io/last-applied-configuration` annotation which includes full secret body. In order to view the cluster annotations via the Argo CD API, the user must have `clusters, get` RBAC access. **Note:** In many cases, cluster secrets do not contain any actually-secret information. But sometimes, as in bearer-token auth, the contents might be very sensitive. ### Patches The bug has been patched in the following versions: * 2.8.3 * 2.7.14 * 2.6.15 ### Workarounds Update/Deploy cluster secret with `server-side-apply` flag which does not use or rely on `kubectl.kubernetes.io/last-applied-configuration` annotation. Note: annotation for existing secrets will require manual removal. ### For more information * Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions) * Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
go/github.com/argoproj/argo-cd/v2 | >=2.8.0<2.8.3 | 2.8.3 |
go/github.com/argoproj/argo-cd/v2 | >=2.7.0<2.7.14 | 2.7.14 |
go/github.com/argoproj/argo-cd/v2 | >=2.2.0<2.6.15 | 2.6.15 |
redhat/ArgoCD | <2.8.1 | 2.8.1 |
redhat/ArgoCD | <2.7.12 | 2.7.12 |
redhat/ArgoCD | <2.6.14 | 2.6.14 |
Linuxfoundation Argo Continuous Delivery | >=2.2.0<2.6.15 | |
Linuxfoundation Argo Continuous Delivery | >=2.7.0<2.7.14 | |
Linuxfoundation Argo Continuous Delivery | >=2.8.0<2.8.3 | |
Argoproj Argo Cd | >=2.2.0<2.6.15 | |
Argoproj Argo Cd | >=2.7.0<2.7.14 | |
Argoproj Argo Cd | >=2.8.0<2.8.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-40029 is a vulnerability in Argo CD where cluster secrets might be managed declaratively.
The impact of CVE-2023-40029 is that the full secret body is stored in a specific annotation.
CVE-2023-40029 has a severity rating of 9.9 (Critical).
Argo CD versions up to and excluding 2.8.1 are affected by CVE-2023-40029.
To fix CVE-2023-40029, update Argo CD to version 2.8.1 or later.