CVE-2023-40026: 
Argo CD vulnerability analysis and mitigation

Argo CD, a declarative continuous deployment framework for Kubernetes, was found to contain a vulnerability in versions prior to 2.3 (starting from v0.1.0) where specifically-crafted Helm files could reference external Helm charts to leak values and files from other charts due to predictable Helm paths (GitHub Advisory, NVD).

The vulnerability (CVE-2023-40026) stems from predictable paths in Helm charts handled by the repo-server. An attacker could exploit this by adding a Helm chart that referenced Helm resources from these predictable paths, allowing them to reference and render values and resources from other existing Helm charts regardless of permissions. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 MEDIUM by NVD and 5.0 MEDIUM by GitHub, with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N (NVD).

While secrets are generally not stored in these files, the vulnerability allowed unauthorized access to any values from affected Helm charts. The impact primarily affects data confidentiality, as it enables information leakage from other Helm charts managed by the same repo-server (GitHub Advisory).

The vulnerability was fixed in Argo CD 2.3 and subsequent versions by randomizing Helm paths. For users unable to upgrade to version 2.3 or later, two workarounds are available: either disable Helm chart rendering or use an additional repo-server for each Helm chart to prevent exploitation (GitHub Advisory).