6.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-50726

GHSA ID

GHSA-g623-jcgg-mhmm

EPSS Score

0.05041%

CWE

CWE-269

Published

3/15/2024

Updated

3/15/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-50726

CVE-2023-50726: Users with `create` but not `override` privileges can perform local sync

Impact

"Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git.

An improper validation bug allows users who have create privileges but not override privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. The only restriction which is not enforced is that the manifests come from some approved git/Helm/OCI source.

The bug was introduced in 1.2.0-rc1 when the local manifest sync feature was added.

Patches

The bug has been patched in the following versions:

2.10.3
2.9.8
2.8.12

Workarounds

To immediately mitigate the risk of branch protection bypass, remove applications, create RBAC access. The only way to eliminate the issue without removing RBAC access is to upgrade to a patched version.

Branch protection rules and review requirements are a great way to enforce security constraints in a GitOps environment, but they should be just one layer in a multi-layered approach. Make sure your AppProject and RBAC restrictions are as thorough as possible to prevent a review bypass vulnerability from permitting excessive damage.

References

Argo CD RBAC documentation

For more information

Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd

(GitHub Advisory)

6.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-50726

GHSA ID

GHSA-g623-jcgg-mhmm

EPSS Score

0.05041%

CWE

CWE-269

Published

3/15/2024

Updated

3/15/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/argoproj/argo-cd	go	>= 1.2.0-rc1, <= 1.8.7
github.com/argoproj/argo-cd/v2	go	>= 2.9.0, < 2.9.8	2.9.8
github.com/argoproj/argo-cd/v2	go	>= 2.10.0, < 2.10.3	2.10.3
github.com/argoproj/argo-cd/v2	go	>= 2.0.0-rc3, < 2.8.12	2.8.12

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper validation in the application creation flow. The commit diff shows a security patch adding validation to strip the Operation field during creation, with a warning about bypassing branch protection. The original vulnerable code path allowed users to set manifests via the Operation.Sync.Manifests field during application creation without requiring 'override' privileges. The Server.Create function was the entry point for this insecure operation validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t "Lo**l syn*" is *n *r*o ** ***tur* t**t *llows **v*lop*rs to t*mpor*rily ov*rri** *n *ppli**tion's m*ni**sts wit* lo**lly-***in** m*ni**sts. Us* o* t** ***tur* s*oul* **n*r*lly ** limit** to *i**ly-trust** us*rs, sin** it *llows t** us*r

Reasoning

T** vuln*r**ility st*ms *rom improp*r v*li**tion in t** *ppli**tion *r**tion *low. T** *ommit *i** s*ows * s**urity p*t** ***in* v*li**tion to strip t** Op*r*tion *i*l* *urin* *r**tion, wit* * w*rnin* **out *yp*ssin* *r*n** prot**tion. T** ori*in*l v

6.4

Basic Information

Concerned about an active attack path?

CVE-2023-50726: Users with `create` but not `override` privileges can perform local sync

Impact

Patches

Workarounds

References

For more information

6.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI