All Argo CD versions starting with v2.3.0-rc1 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret.The attacker could use this access to escalate privileges (potentially controlling Kubernetes resources) or to break Argo CD functionality (by preventing connections to external clusters).
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.6 Via RHSA-2023:0802 https://access.redhat.com/errata/RHSA-2023:0802
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.7 Via RHSA-2023:0803 https://access.redhat.com/errata/RHSA-2023:0803
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.5 Via RHSA-2023:0804 https://access.redhat.com/errata/RHSA-2023:0804
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-23947