CVE-2023-40029
📋 TL;DR
This vulnerability in Argo CD exposes sensitive cluster secret data through the API. Users with 'clusters, get' RBAC permissions can access the full secret contents via the kubectl.kubernetes.io/last-applied-configuration annotation. All Argo CD deployments managing cluster secrets declaratively are affected.
💻 Affected Systems
- Argo CD
📦 What is this software?
Argo Cd by Argoproj
Argo Cd by Argoproj
Argo Cd by Argoproj
⚠️ Risk & Real-World Impact
Worst Case
Attackers with cluster read access can steal sensitive authentication tokens (like bearer tokens) and gain unauthorized access to Kubernetes clusters managed by Argo CD.
Likely Case
Users with legitimate cluster access inadvertently expose secret data through normal API usage, potentially leaking credentials to less privileged users.
If Mitigated
With proper RBAC controls limiting cluster access to trusted administrators only, exposure is minimized but still presents an information disclosure risk.
🎯 Exploit Status
Exploitation requires 'clusters, get' RBAC permissions. The vulnerability is straightforward to exploit once an attacker has the required permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.15, 2.7.14, or 2.8.3
Vendor Advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-fwr2-64vr-xv9m
Restart Required: Yes
Instructions:
1. Upgrade Argo CD to version 2.6.15, 2.7.14, or 2.8.3 or higher. 2. Restart Argo CD components. 3. Manually remove the kubectl.kubernetes.io/last-applied-configuration annotation from existing cluster secrets.
🔧 Temporary Workarounds
Use server-side apply for cluster secrets
allDeploy cluster secrets using server-side apply which doesn't use the vulnerable annotation
kubectl apply --server-side=true -f cluster-secret.yaml
🧯 If You Can't Patch
- Implement strict RBAC controls to limit 'clusters, get' permissions to only essential administrators
- Audit all cluster secrets and remove sensitive data where possible, replacing with less sensitive authentication methods
🔍 How to Verify
Check if Vulnerable:
Check if any cluster secrets have kubectl.kubernetes.io/last-applied-configuration annotation containing sensitive data: kubectl get secret -n argocd -l argocd.argoproj.io/secret-type=cluster -o jsonpath='{.items[*].metadata.annotations.kubectl\.kubernetes\.io/last-applied-configuration}'Check Version:
argocd version --shortVerify Fix Applied:
After upgrade, verify the annotation is no longer exposed via Argo CD API for users with cluster get permissions📡 Detection & Monitoring
Log Indicators:
- Unusual cluster secret access patterns via Argo CD API
- Multiple failed attempts to access cluster resources
Network Indicators:
- Unexpected API calls to cluster endpoints from unauthorized sources
SIEM Query:
source="argocd" AND (message="cluster" OR message="secret") AND (user NOT IN ["admin-users-list"])🔗 References
- https://github.com/argoproj/argo-cd/commit/4b2e5b06bff2ffd8ed1970654ddd8e55fc4a41c4
- https://github.com/argoproj/argo-cd/pull/7139
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-fwr2-64vr-xv9m
- https://github.com/argoproj/argo-cd/commit/4b2e5b06bff2ffd8ed1970654ddd8e55fc4a41c4
- https://github.com/argoproj/argo-cd/pull/7139
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-fwr2-64vr-xv9m
