Bug 2162517 (CVE-2023-22736) - CVE-2023-22736 argocd: Controller reconciles apps outside configured namespaces when sharding is enabled
Summary: CVE-2023-22736 argocd: Controller reconciles apps outside configured namespac...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-22736
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2162518
TreeView+ depends on / blocked
 
Reported: 2023-01-19 19:00 UTC by Zack Miele
Modified: 2023-01-28 05:22 UTC (History)
6 users (show)

Fixed In Version: ArgoCD-2.6.0-rc5, ArgoCD-2.5.8, ArgoCD-2.4.20, ArgoCD-2.3.14
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Red Hat GitOps, which is vulnerable to an authorization bypass in ArgoCD. This flaw allows users to deploy applications outside the allowed namespaces. The issue happens due to a logic error when interpreting the comma-separated namespaces list. To complete the attack, the attacker must have enough privileges to update deployed applications.
Clone Of:
Environment:
Last Closed: 2023-01-28 05:22:10 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:0467 0 None None None 2023-01-25 20:31:58 UTC

Description Zack Miele 2023-01-19 19:00:48 UTC 
All Argo CD versions starting with 2.5.0-rc1 are vulnerable to an
authorization bypass bug which allows a malicious Argo CD user to deploy
Applications outside the configured allowed namespaces.

Reconciled Application namespaces are specified as a comma-delimited list
of glob patterns. When sharding is enabled on the Application controller,
it does not enforce that list of patterns when reconciling Applications.
For example, if Application namespaces are configured to be argocd-*, the
Application controller may reconcile an Application installed in a
namespace called other, even though it does not start with argocd-.

Reconciliation of the out-of-bounds Application is only triggered when the
Application is updated, so the attacker must be able to cause an update
operation on the Application resource.
Limitations

This bug only applies to users who have explicitly enabled the
"apps-in-any-namespace" feature by setting application.namespaces in the
argocd-cmd-params-cm ConfigMap or otherwise setting the
--application-namespaces flags on the Application controller and API server
components. The apps-in-any-namespace feature is in beta as of this
Security Advisory's publish date.

The bug is also limited to Argo CD instances where sharding is enabled by
increasing the replicas count for the Application controller.

Finally, the AppProjects' sourceNamespaces field acts as a secondary check
against this exploit. To cause reconciliation of an Application in an
out-of-bounds namespace, an AppProject must be available which permits
Applications in the out-of-bounds namespace.
Comment 2 errata-xmlrpc 2023-01-25 20:31:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.7

Via RHSA-2023:0467 https://access.redhat.com/errata/RHSA-2023:0467
Comment 3 Product Security DevOps Team 2023-01-28 05:22:08 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-22736
Note You need to log in before you can comment on or make changes to this bug.