CVE-2022-24768: 
Argo CD vulnerability analysis and mitigation

CVE-2022-24768 affects Argo CD, a declarative GitOps continuous delivery tool for Kubernetes. All unpatched versions starting from 1.0.0 are vulnerable to an improper access control bug that could allow privilege escalation to admin-level. The vulnerability was disclosed on March 23, 2022, and patches were released in versions 2.3.2, 2.2.8, and 2.1.14 (GitHub Advisory).

The vulnerability is an improper access control issue that allows unauthorized access to resources. It has received a CVSS v3.1 base score of 9.9 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H). To exploit this vulnerability, an authorized Argo CD user must have either push access to an Application's source git/Helm repository or 'sync' and 'override' access to an Application (GitHub Advisory).

The vulnerability allows different levels of exploitation depending on user RBAC privileges: users with update access can modify any resource on the Application's destination cluster; users with delete access can remove any resource; users with get access can view resources and list available actions; and users with action privileges can execute actions for any supported resource. If the destination cluster is the same as the Argo CD hosting cluster, privileges can be escalated to admin-level (GitHub Advisory).

Patches have been released in Argo CD versions 2.3.2, 2.2.8, and 2.1.14. For users unable to upgrade immediately, temporary mitigations include: limiting push access to Application source repositories, restricting sync and override access to Applications, limiting repository availability in projects where users have update access, and restricting delete, get, or action access to Applications. However, these mitigations are not substitutes for upgrading (GitHub Advisory).

The security fix resulted in changes to how Argo CD UI presents child resources of allow-listed resources. After the patch, child resources must be explicitly allow-listed to be visible. For example, if only Deployment is in the allow-list, Pods will not be shown unless specifically added (Release Notes).