CVE-2023-40029: 
Argo CD vulnerability analysis and mitigation

Argo CD, a declarative continuous deployment tool for Kubernetes, was found to have a critical vulnerability (CVE-2023-40029) where cluster secrets could potentially be exposed through the kubectl.kubernetes.io/last-applied-configuration annotation. The vulnerability was discovered in versions 2.2.0 through 2.6.14, 2.7.113, and 2.8.2, and was patched in versions 2.8.3, 2.7.14, and 2.6.15 (GitHub Advisory).

The vulnerability was introduced in pull request #7139, which added functionality to manage cluster labels and annotations. Since clusters are stored as secrets, this feature inadvertently exposed the kubectl.kubernetes.io/last-applied-configuration annotation containing the full secret body. To access this information via the Argo CD API, a user must have clusters, get RBAC access. The vulnerability has been assigned a CVSS v3.1 base score of 9.6 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) by NVD, and 9.9 CRITICAL by GitHub (NVD, GitHub Advisory).

While in many cases cluster secrets may not contain sensitive information, in scenarios using bearer-token authentication, the exposed contents could be highly sensitive. The vulnerability could lead to unauthorized access to cluster authentication details and other confidential configuration data (GitHub Advisory).

Users are advised to upgrade to the patched versions (2.8.3, 2.7.14, or 2.6.15). For those unable to upgrade immediately, a workaround is available by updating/deploying cluster secrets with the server-side-apply flag, which doesn't use the kubectl.kubernetes.io/last-applied-configuration annotation. Existing secrets require manual removal of the annotation (GitHub Advisory).