SCA: security update for github.com/argoproj/argo-cd (GHSA-3jfq-742w-xg8j)

high Tenable Self-Hosted Container Security Plugin ID 409571

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting
with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization
bug which allows users who have the ability to update at least one cluster secret to update any cluster
secret. The attacker could use this access to escalate privileges (potentially controlling Kubernetes
resources) or to break Argo CD functionality (by preventing connections to external clusters). A patch for
this vulnerability has been released in Argo CD versions 2.6.2, 2.5.11, 2.4.23, and 2.3.17. Two
workarounds are available. Either modify the RBAC configuration to completely revoke all `clusters,
update` access, or use the `destinations` and `clusterResourceWhitelist` fields to apply similar
restrictions as the `namespaces` and `clusterResources` fields. (CVE-2023-23947)

See Also

https://github.com/advisories/GHSA-3jfq-742w-xg8j

Plugin Details

Severity: High

ID: 409571

Version: Revision 1.12

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.66

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-23947

CVSS v3

Risk Factor: High

Base Score: 8.5

Temporal Score: 7.4

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/16/2023

Vulnerability Publication Date: 2/16/2023

Reference Information

CVE: CVE-2023-23947

cwe: CWE-863