CVE-2023-50726

EPSS 0.02%
Veröffentlicht 13.03.2024 21:15:54
Zuletzt bearbeitet 02.06.2025 14:35:20
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git. An improper validation bug allows users who have `create` privileges but not `override` privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. The only restriction which is not enforced is that the manifests come from some approved git/Helm/OCI source. The bug was introduced in 1.2.0-rc1 when the local manifest sync feature was added. The bug has been patched in Argo CD versions 2.10.3, 2.9.8, and 2.8.12. Users are advised to upgrade. Users unable to upgrade may mitigate the risk of branch protection bypass by removing `applications, create` RBAC access. The only way to eliminate the issue without removing RBAC access is to upgrade to a patched version.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Argoproj ≫ Argo Cd Version >= 1.2.0 < 2.8.12

Argoproj ≫ Argo Cd Version >= 2.9.0 < 2.9.7

Argoproj ≫ Argo Cd Version >= 2.10.0 < 2.10.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.055

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.4	3.1	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
security-advisories@github.com	6.4	3.1	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

CWE-269 Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac

Product

https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978

Patch

https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-50726

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-50726

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-50726

EUVD