Headline
GHSA-2gvw-w6fj-7m3c: Argo CD's API server does not enforce project sourceNamespaces
Impact
I can convince the UI to let me do things with an invalid Application.
- Admin gives me
p, michael, applications, *, demo/*, allow
, wheredemo
can just deploy to thedemo
namespace - Admin gives me AppProject
dev
which reconciles from nsdev-apps
- Admin gives me
p, michael, applications, sync, dev/*, allow
, i.e. no updating via the UI allowed, gitops-only - I create an Application called
pwn
indev-apps
with project dev and sync the app with sources from git - I change the Application’s project to demo via kubectl or gitops (whichever mechanism my admins have given me, because it should be safe)
- I use the UI to edit the resource which should only be mutable via gitops
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
v2.10.7 v2.9.12 v2.8.16
For more information
If you have any questions or comments about this advisory:
Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd
Credits
This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)
The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-31990
Argo CD’s API server does not enforce project sourceNamespaces
Moderate severity GitHub Reviewed Published Apr 15, 2024 in argoproj/argo-cd • Updated Apr 15, 2024
Package
gomod github.com/argoproj/argo-cd/v2 (Go)
Affected versions
>= 2.4.0, < 2.8.16
>= 2.9.0, < 2.9.12
>= 2.10.0, < 2.10.7
Patched versions
2.8.16
2.9.12
2.10.7
Impact
I can convince the UI to let me do things with an invalid Application.
- Admin gives me p, michael, applications, , demo/, allow, where demo can just deploy to the demo namespace
- Admin gives me AppProject dev which reconciles from ns dev-apps
- Admin gives me p, michael, applications, sync, dev/*, allow, i.e. no updating via the UI allowed, gitops-only
- I create an Application called pwn in dev-apps with project dev and sync the app with sources from git
- I change the Application’s project to demo via kubectl or gitops (whichever mechanism my admins have given me, because it should be safe)
- I use the UI to edit the resource which should only be mutable via gitops
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
v2.10.7
v2.9.12
v2.8.16
For more information
If you have any questions or comments about this advisory:
Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd
Credits
This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)
The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
References
- GHSA-2gvw-w6fj-7m3c
- argoproj/argo-cd@c514105
- argoproj/argo-cd@c5a252c
- argoproj/argo-cd@e0ff56d
Published to the GitHub Advisory Database
Apr 15, 2024
Last updated
Apr 15, 2024
Related news
Red Hat Security Advisory 2024-2816-03 - An update is now available for Red Hat OpenShift GitOps v1.12.2 for Argo CD UI and Console Plugin. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section.