Wiz
Vulnerability DatabaseCVE-2023-23947

CVE-2023-23947
Argo CD vulnerability analysis and mitigation

Overview

Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, was found to contain a critical security vulnerability (CVE-2023-23947) with a CVSS score of 9.1. The vulnerability affects all Argo CD versions from 2.3.0-rc1 through 2.3.16, 2.4.22, 2.5.10, and 2.6.1. This security flaw was introduced when Argo CD began storing cluster access configurations as Kubernetes Secrets (GitHub Advisory, Security Online).

Technical details

The vulnerability is an improper authorization bug that allows users with the ability to update at least one cluster secret to update any cluster secret. To exploit this vulnerability, an attacker must meet several prerequisites: they must know the server URL for the target cluster secret, be authenticated with the Argo CD API server, and have authorization to update at least one non-project-scoped cluster. The vulnerability received a Critical severity rating with a CVSS v3.1 score of 9.1, indicating its high impact potential (GitHub Advisory).

Impact

The exploitation of this vulnerability could lead to privilege escalation, potentially allowing attackers to control Kubernetes resources. Attackers could also disrupt Argo CD functionality by preventing connections to external clusters. Additionally, attackers could modify cluster connection parameters, potentially enabling malicious-in-the-middle (MITM) attacks by disabling certificate verification, or achieve denial-of-service by setting invalid configurations (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in Argo CD versions 2.6.2, 2.5.11, 2.4.23, and 2.3.17. For users unable to upgrade immediately, two workarounds are available: 1) Modify RBAC configuration to completely revoke all clusters, update access, or 2) Use the destinations and clusterResourceWhitelist fields in AppProjects to apply similar restrictions as the namespaces and clusterResources fields. Users should also ensure strict RBAC restrictions and limit projects update access to Argo CD administrators only (GitHub Advisory).

Additional resources

SourceThis report was generated using AI

Related Argo CD vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-55190CRITICAL9.9
  • Argo CDArgo CD
  • argocd-2.14
NoYesSep 04, 2025
CVE-2025-59538HIGH7.5
  • Argo CDArgo CD
  • argocd-3.0
NoYesOct 01, 2025
CVE-2025-59537HIGH7.5
  • Argo CDArgo CD
  • argocd-fips-3.0
NoYesOct 01, 2025
CVE-2025-59531HIGH7.5
  • Argo CDArgo CD
  • cpe:2.3:a:linuxfoundation:argo-cd
NoYesOct 01, 2025
CVE-2025-55191MEDIUM5.3
  • Argo CDArgo CD
  • github.com/argoproj/argo-cd
NoYesSep 30, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo