{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-22736", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-01-06T14:21:05.892Z", "datePublished": "2023-01-26T03:35:27.309Z", "dateUpdated": "2024-08-02T10:13:50.215Z"}, "containers": {"cna": {"title": "argo-cd Controller reconciles apps outside configured namespaces when sharding is enabled", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw"}], "affected": [{"vendor": "argoproj", "product": "argo-cd", "versions": [{"version": ">= 2.5.0=rc1, < 2.5.8", "status": "affected"}, {"version": "= 2.6.0-rc4, < 2.6.0-rc5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-26T03:35:27.309Z"}, "descriptions": [{"lang": "en", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces. Reconciled Application namespaces are specified as a comma-delimited list of glob patterns. When sharding is enabled on the Application controller, it does not enforce that list of patterns when reconciling Applications. For example, if Application namespaces are configured to be argocd-*, the Application controller may reconcile an Application installed in a namespace called other, even though it does not start with argocd-. Reconciliation of the out-of-bounds Application is only triggered when the Application is updated, so the attacker must be able to cause an update operation on the Application resource. This bug only applies to users who have explicitly enabled the \"apps-in-any-namespace\" feature by setting `application.namespaces` in the argocd-cmd-params-cm ConfigMap or otherwise setting the `--application-namespaces` flags on the Application controller and API server components. The apps-in-any-namespace feature is in beta as of this Security Advisory's publish date. The bug is also limited to Argo CD instances where sharding is enabled by increasing the `replicas` count for the Application controller. Finally, the AppProjects' `sourceNamespaces` field acts as a secondary check against this exploit. To cause reconciliation of an Application in an out-of-bounds namespace, an AppProject must be available which permits Applications in the out-of-bounds namespace. A patch for this vulnerability has been released in versions 2.5.8 and 2.6.0-rc5. As a workaround, running only one replica of the Application controller will prevent exploitation of this bug. Making sure all AppProjects' sourceNamespaces are restricted within the confines of the configured Application namespaces will also prevent exploitation of this bug."}], "source": {"advisory": "GHSA-6p4m-hw2h-6gmw", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:13:50.215Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "matchCriteriaId": "7508D913-6A85-47EB-97D8-E31F35CC6188", "versionEndExcluding": "2.5.8", "versionStartIncluding": "2.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:2.6.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "4E9E8774-D703-4CE5-8B90-EE3CD7A45005", "vulnerable": true}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:2.6.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "EC71D67C-2326-401A-AB60-961A3C500FDC", "vulnerable": true}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:2.6.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "F78053BA-9B03-4831-881A-8C71C8B583D8", "vulnerable": true}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:2.6.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "F5C06F6A-AB8A-4633-912E-B07046ECF5C8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces. Reconciled Application namespaces are specified as a comma-delimited list of glob patterns. When sharding is enabled on the Application controller, it does not enforce that list of patterns when reconciling Applications. For example, if Application namespaces are configured to be argocd-*, the Application controller may reconcile an Application installed in a namespace called other, even though it does not start with argocd-. Reconciliation of the out-of-bounds Application is only triggered when the Application is updated, so the attacker must be able to cause an update operation on the Application resource. This bug only applies to users who have explicitly enabled the \"apps-in-any-namespace\" feature by setting `application.namespaces` in the argocd-cmd-params-cm ConfigMap or otherwise setting the `--application-namespaces` flags on the Application controller and API server components. The apps-in-any-namespace feature is in beta as of this Security Advisory's publish date. The bug is also limited to Argo CD instances where sharding is enabled by increasing the `replicas` count for the Application controller. Finally, the AppProjects' `sourceNamespaces` field acts as a secondary check against this exploit. To cause reconciliation of an Application in an out-of-bounds namespace, an AppProject must be available which permits Applications in the out-of-bounds namespace. A patch for this vulnerability has been released in versions 2.5.8 and 2.6.0-rc5. As a workaround, running only one replica of the Application controller will prevent exploitation of this bug. Making sure all AppProjects' sourceNamespaces are restricted within the confines of the configured Application namespaces will also prevent exploitation of this bug."}, {"lang": "es", "value": "Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. Las versiones que comienzan con 2.5.0-rc1 y superiores, anteriores a 2.5.8 y la versi\u00f3n 2.6.0-rc4, son vulnerables a un error de omisi\u00f3n de autorizaci\u00f3n que permite a un usuario malintencionado de Argo CD implementar aplicaciones fuera de los espacios de nombres permitidos configurados. Los espacios de nombres de aplicaciones reconciliados se especifican como una lista de patrones globales delimitados por comas. Cuando la fragmentaci\u00f3n est\u00e1 habilitada en el controlador de aplicaciones, no aplica esa lista de patrones al conciliar aplicaciones. Por ejemplo, si los espacios de nombres de las aplicaciones est\u00e1n configurados para ser argocd-*, el controlador de la aplicaci\u00f3n puede conciliar una aplicaci\u00f3n instalada en un espacio de nombres llamado other, aunque no comience con argocd-. La conciliaci\u00f3n de la aplicaci\u00f3n fuera de los l\u00edmites solo se activa cuando la aplicaci\u00f3n se actualiza, por lo que el atacante debe poder provocar una operaci\u00f3n de actualizaci\u00f3n en el recurso de la aplicaci\u00f3n. Este error solo se aplica a los usuarios que han habilitado expl\u00edcitamente la funci\u00f3n \"aplicaciones en cualquier espacio de nombres\" configurando `application.namespaces` en el ConfigMap argocd-cmd-params-cm o configurando de otro modo los indicadores `--application-namespaces` en los componentes del controlador de aplicaciones y del servidor API. La funci\u00f3n de aplicaciones en cualquier espacio de nombres se encuentra en versi\u00f3n beta a partir de la fecha de publicaci\u00f3n de este aviso de seguridad. El error tambi\u00e9n se limita a las instancias de Argo CD donde la fragmentaci\u00f3n se habilita aumentando el recuento de \"r\u00e9plicas\" para el controlador de la aplicaci\u00f3n. Finalmente, el campo `sourceNamespaces` de AppProjects act\u00faa como una verificaci\u00f3n secundaria contra este exploit. Para provocar la conciliaci\u00f3n de una aplicaci\u00f3n en un espacio de nombres fuera de los l\u00edmites, debe estar disponible un AppProject que permita aplicaciones en el espacio de nombres fuera de los l\u00edmites. Se lanz\u00f3 un parche para esta vulnerabilidad en las versiones 2.5.8 y 2.6.0-rc5. Como workaround, ejecutar solo una r\u00e9plica del controlador de la aplicaci\u00f3n evitar\u00e1 que se aproveche este error. Asegurarse de que todos los espacios de nombres de origen de AppProjects est\u00e9n restringidos dentro de los l\u00edmites de los espacios de nombres de aplicaciones configurados tambi\u00e9n evitar\u00e1 la explotaci\u00f3n de este error."}], "id": "CVE-2023-22736", "lastModified": "2024-08-07T15:43:51.540", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-01-26T21:18:13.110", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:0467", "cpe": "cpe:/a:redhat:openshift_gitops:1.7::el8", "package": "openshift-gitops-1/argocd-rhel8:v1.7.1-2", "product_name": "Red Hat OpenShift GitOps 1.7", "release_date": "2023-01-25T00:00:00Z"}], "bugzilla": {"description": "argocd: Controller reconciles apps outside configured namespaces when sharding is enabled", "id": "2162517", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2162517"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "verified"}, "details": ["Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1 and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces. Reconciled Application namespaces are specified as a comma-delimited list of glob patterns. When sharding is enabled on the Application controller, it does not enforce that list of patterns when reconciling Applications. For example, if Application namespaces are configured to be argocd-*, the Application controller may reconcile an Application installed in a namespace called other, even though it does not start with argocd-. Reconciliation of the out-of-bounds Application is only triggered when the Application is updated, so the attacker must be able to cause an update operation on the Application resource. This bug only applies to users who have explicitly enabled the \"apps-in-any-namespace\" feature by setting `application.namespaces` in the argocd-cmd-params-cm ConfigMap or otherwise setting the `--application-namespaces` flags on the Application controller and API server components. The apps-in-any-namespace feature is in beta as of this Security Advisory's publish date. The bug is also limited to Argo CD instances where sharding is enabled by increasing the `replicas` count for the Application controller. Finally, the AppProjects' `sourceNamespaces` field acts as a secondary check against this exploit. To cause reconciliation of an Application in an out-of-bounds namespace, an AppProject must be available which permits Applications in the out-of-bounds namespace. A patch for this vulnerability has been released in versions 2.5.8 and 2.6.0-rc5. As a workaround, running only one replica of the Application controller will prevent exploitation of this bug. Making sure all AppProjects' sourceNamespaces are restricted within the confines of the configured Application namespaces will also prevent exploitation of this bug.", "A flaw was found in Red Hat GitOps, which is vulnerable to an authorization bypass in ArgoCD. This flaw allows users to deploy applications outside the allowed namespaces. The issue happens due to a logic error when interpreting the comma-separated namespaces list. To complete the attack, the attacker must have enough privileges to update deployed applications."], "name": "CVE-2023-22736", "public_date": "2023-01-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-22736\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-22736\nhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-6p4m-hw2h-6gmw"], "statement": "This issue only affects Red Hat GitOps version 1.7, as the vulnerability was introduced in ArgoCD-2.5.\nThis vulnerability affects only deployments with \"apps-in-any-namespace\" feature by setting application.namespaces in the argocd-cmd-params-cm ConfigMap or otherwise setting the --application-namespaces flags on the Application controller and API server components.", "threat_severity": "Important", "upstream_fix": "ArgoCD 2.5.8, ArgoCD 2.4.20, ArgoCD 2.3.14, ArgoCD-2.6.0 rc5"}