Bug 2167819 (CVE-2023-23947)

Summary: CVE-2023-23947 ArgoCD: Users with any cluster secret update access may update out-of-bounds cluster secrets
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aveerama, ellin, rgarg, scorneli, security-response-team, shbose, ubhargav
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in ArgoCD. An improper authorization bug may allow an attacker to update at least one cluster secret, enabling them to change any other cluster secret. The attacker must know the URL for the targeted cluster and additionally it should be authenticated within the ArgoCD API server with enough privileges to update at least one cluster. A successful attack may lead to privilege escalations or denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-17 09:45:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2167489    

Description Marco Benatto 2023-02-07 16:06:46 UTC 
All Argo CD versions starting with v2.3.0-rc1 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret.The attacker could use this access to escalate privileges (potentially controlling Kubernetes
resources) or to break Argo CD functionality (by preventing connections to external clusters).
Comment 2 errata-xmlrpc 2023-02-17 03:32:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.6

Via RHSA-2023:0802 https://access.redhat.com/errata/RHSA-2023:0802
Comment 3 errata-xmlrpc 2023-02-17 03:46:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.7

Via RHSA-2023:0803 https://access.redhat.com/errata/RHSA-2023:0803
Comment 4 errata-xmlrpc 2023-02-17 04:12:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.5

Via RHSA-2023:0804 https://access.redhat.com/errata/RHSA-2023:0804
Comment 5 Product Security DevOps Team 2023-02-17 09:44:59 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-23947