SCA: security update for github.com/argoproj/argo-cd/v2 (GHSA-6jqw-jwf5-rp8h)

medium Tenable Cloud Security Plugin ID 411503

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Argo CD is a declarative continuous deployment framework for Kubernetes. In Argo CD versions prior to 2.3
(starting at least in v0.1.0, but likely in any version using Helm before 2.3), using a specifically-
crafted Helm file could reference external Helm charts handled by the same repo-server to leak values, or
files from the referenced Helm Chart. This was possible because Helm paths were predictable. The
vulnerability worked by adding a Helm chart that referenced Helm resources from predictable paths. Because
the paths of Helm charts were predictable and available on an instance of repo-server, it was possible to
reference and then render the values and resources from other existing Helm charts regardless of
permissions. While generally, secrets are not stored in these files, it was nevertheless possible to
reference any values from these charts. This issue was fixed in Argo CD 2.3 and subsequent versions by
randomizing Helm paths. User's still using Argo CD 2.3 or below are advised to update to a supported
version. If this is not possible, disabling Helm chart rendering, or using an additional repo-server for
each Helm chart would prevent possible exploitation. (CVE-2023-40026)

See Also

https://github.com/advisories/GHSA-6jqw-jwf5-rp8h

Plugin Details

Severity: Medium

ID: 411503

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2023-40026

CVSS v3

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/27/2023

Vulnerability Publication Date: 9/27/2023

Reference Information

CVE: CVE-2023-40026