SCA: security update for github.com/argoproj/argo-cd/v2 (GHSA-6p4m-hw2h-6gmw)

high Tenable Cloud Security Plugin ID 411546

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions starting with 2.5.0-rc1
and above, prior to 2.5.8, and version 2.6.0-rc4, are vulnerable to an authorization bypass bug which
allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces.
Reconciled Application namespaces are specified as a comma-delimited list of glob patterns. When sharding
is enabled on the Application controller, it does not enforce that list of patterns when reconciling
Applications. For example, if Application namespaces are configured to be argocd-*, the Application
controller may reconcile an Application installed in a namespace called other, even though it does not
start with argocd-. Reconciliation of the out-of-bounds Application is only triggered when the Application
is updated, so the attacker must be able to cause an update operation on the Application resource. This
bug only applies to users who have explicitly enabled the "apps-in-any-namespace" feature by setting
`application.namespaces` in the argocd-cmd-params-cm ConfigMap or otherwise setting the `--application-
namespaces` flags on the Application controller and API server components. The apps-in-any-namespace
feature is in beta as of this Security Advisory's publish date. The bug is also limited to Argo CD
instances where sharding is enabled by increasing the `replicas` count for the Application controller.
Finally, the AppProjects' `sourceNamespaces` field acts as a secondary check against this exploit. To
cause reconciliation of an Application in an out-of-bounds namespace, an AppProject must be available
which permits Applications in the out-of-bounds namespace. A patch for this vulnerability has been
released in versions 2.5.8 and 2.6.0-rc5. As a workaround, running only one replica of the Application
controller will prevent exploitation of this bug. Making sure all AppProjects' sourceNamespaces are
restricted within the confines of the configured Application namespaces will also prevent exploitation of
this bug. (CVE-2023-22736)

See Also

https://github.com/advisories/GHSA-6p4m-hw2h-6gmw

Plugin Details

Severity: High

ID: 411546

Version: Revision 1.10

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.66

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-22736

CVSS v3

Risk Factor: High

Base Score: 8.5

Temporal Score: 7.4

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/25/2023

Vulnerability Publication Date: 1/25/2023

Reference Information

CVE: CVE-2023-22736

cwe: CWE-862