Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-2gvw-w6fj-7m3c: Argo CD's API server does not enforce project sourceNamespaces

Impact

I can convince the UI to let me do things with an invalid Application.

  1. Admin gives me p, michael, applications, *, demo/*, allow, where demo can just deploy to the demo namespace
  2. Admin gives me AppProject dev which reconciles from ns dev-apps
  3. Admin gives me p, michael, applications, sync, dev/*, allow, i.e. no updating via the UI allowed, gitops-only
  4. I create an Application called pwn in dev-apps with project dev and sync the app with sources from git
  5. I change the Application’s project to demo via kubectl or gitops (whichever mechanism my admins have given me, because it should be safe)
  6. I use the UI to edit the resource which should only be mutable via gitops

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

v2.10.7 v2.9.12 v2.8.16

For more information

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd

Credits

This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

ghsa
#vulnerability#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-31990

Argo CD’s API server does not enforce project sourceNamespaces

Moderate severity GitHub Reviewed Published Apr 15, 2024 in argoproj/argo-cd • Updated Apr 15, 2024

Package

gomod github.com/argoproj/argo-cd/v2 (Go)

Affected versions

>= 2.4.0, < 2.8.16

>= 2.9.0, < 2.9.12

>= 2.10.0, < 2.10.7

Patched versions

2.8.16

2.9.12

2.10.7

Impact

I can convince the UI to let me do things with an invalid Application.

  1. Admin gives me p, michael, applications, , demo/, allow, where demo can just deploy to the demo namespace
  2. Admin gives me AppProject dev which reconciles from ns dev-apps
  3. Admin gives me p, michael, applications, sync, dev/*, allow, i.e. no updating via the UI allowed, gitops-only
  4. I create an Application called pwn in dev-apps with project dev and sync the app with sources from git
  5. I change the Application’s project to demo via kubectl or gitops (whichever mechanism my admins have given me, because it should be safe)
  6. I use the UI to edit the resource which should only be mutable via gitops

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

v2.10.7
v2.9.12
v2.8.16

For more information

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd

Credits

This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

References

  • GHSA-2gvw-w6fj-7m3c
  • argoproj/argo-cd@c514105
  • argoproj/argo-cd@c5a252c
  • argoproj/argo-cd@e0ff56d

Published to the GitHub Advisory Database

Apr 15, 2024

Last updated

Apr 15, 2024

Related news

Red Hat Security Advisory 2024-2816-03

Red Hat Security Advisory 2024-2816-03 - An update is now available for Red Hat OpenShift GitOps v1.12.2 for Argo CD UI and Console Plugin. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section.