9.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-40029

GHSA ID

GHSA-fwr2-64vr-xv9m

EPSS Score

0.70932%

CWE

CWE-200

Published

9/11/2023

Updated

11/5/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-40029

CVE-2023-40029: Argo CD cluster secret might leak in cluster details page

Impact

Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored inkubectl.kubernetes.io/last-applied-configuration annotation.

https://github.com/argoproj/argo-cd/pull/7139 introduced the ability to manage cluster labels and annotations. Since clusters are stored as secrets it also exposes the kubectl.kubernetes.io/last-applied-configuration annotation which includes full secret body. In order to view the cluster annotations via the Argo CD API, the user must have clusters, get RBAC access.

Note: In many cases, cluster secrets do not contain any actually-secret information. But sometimes, as in bearer-token auth, the contents might be very sensitive.

Patches

The bug has been patched in the following versions:

2.8.3
2.7.14
2.6.15

Workarounds

Update/Deploy cluster secret with server-side-apply flag which does not use or rely on kubectl.kubernetes.io/last-applied-configuration annotation. Note: annotation for existing secrets will require manual removal.

For more information

Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd

(GitHub Advisory)

9.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-40029

GHSA ID

GHSA-fwr2-64vr-xv9m

EPSS Score

0.70932%

CWE

CWE-200

Published

9/11/2023

Updated

11/5/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/argoproj/argo-cd/v2	go	>= 2.2.0, < 2.6.15	2.6.15
github.com/argoproj/argo-cd/v2	go	>= 2.7.0, < 2.7.14	2.7.14
github.com/argoproj/argo-cd/v2	go	>= 2.8.0, < 2.8.3	2.8.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of Kubernetes last-applied-configuration annotations in cluster secrets. The clusterToSecret function lacked validation to prevent storage of this annotation, while SecretToCluster failed to strip it when exposing cluster details. The security patches (44e52c4, 4b2e5b0) explicitly add annotation validation in clusterToSecret and annotation stripping in SecretToCluster, confirming these were the vulnerable points. These functions directly handle secret/cluster conversion and annotation management, making them the clear vulnerability sources.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *r*o ** *lust*r s**r*ts mi**t ** m*n**** ***l*r*tiv*ly usin* *r*o ** / ku***tl *pply. *s * r*sult, t** *ull s**r*t *o*y is stor** in`ku***tl.ku**rn*t*s.io/l*st-*ppli**-*on*i*ur*tion` *nnot*tion. *ttps://*it*u*.*om/*r*oproj/*r*o-**/pull/

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* Ku**rn*t*s l*st-*ppli**-*on*i*ur*tion *nnot*tions in *lust*r s**r*ts. T** *lust*rToS**r*t *un*tion l**k** v*li**tion to pr*v*nt stor*** o* t*is *nnot*tion, w*il* S**r*tTo*lust*r **il** to strip it w**

9.9

Basic Information

Concerned about an active attack path?

CVE-2023-40029: Argo CD cluster secret might leak in cluster details page

Impact

Patches

Workarounds

For more information

9.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI