SB2023012633 - Multiple vulnerabilities in Argo CD

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Authorization (CVE-ID: CVE-2023-22736)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to improper authorization checks. A remote user can deploy Applications outside the configured allowed namespaces.

2) Improper Authorization (CVE-ID: CVE-2023-22482)

The vulnerability allows a remote user to gain unauthorized access to the application.

The vulnerability exists due to improper authorization of the Argo CD valid tokens that were issued other audiences. A remote user with a valid token can gain unauthorized access to Argo CD instance.

Remediation

Install update from vendor's website.

References

• https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw
• https://github.com/argoproj/argo-cd/security/advisories/GHSA-q9hr-j4rf-8fjc