Authorization Bypass Affecting github.com/argoproj/argo-cd/util/session package, versions >=0.0.0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDUTILSESSION-3248487
- published 26 Jan 2023
- disclosed 25 Jan 2023
- credit ChangZhuo Chen (@czchen)
Introduced: 25 Jan 2023
CVE-2023-22736 Open this link in a new tabHow to fix?
A fix was pushed into the master branch but not yet published.
Overview
github.com/argoproj/argo-cd/util/session is a Declarative continuous deployment for Kubernetes.
Affected versions of this package are vulnerable to Authorization Bypass which allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces.
Note:
This bug only applies to users who have explicitly enabled the "apps-in-any-namespace" feature by setting
application.namespacesin the argocd-cmd-params-cm ConfigMap or otherwise setting the--application-namespacesflags on the Application controller and API server components.The vulnerability is limited to Argo CD instances where sharding is enabled by increasing the
replicascount for the Application controller.The AppProjects'
sourceNamespacesfield acts as a secondary check against this exploit. To cause reconciliation of an Application in an out-of-bounds namespace, an AppProject must be available which permits Applications in the out-of-bounds namespace.
Workarounds
Users that are not able to update to a fixed version are advised to run only one replica of the Application controller. It will prevent the exploitation of this issue.
Also, making sure all AppProjects' sourceNamespaces are restricted within the confines of the configured Application namespaces will also prevent exploitation of this bug.