Argo CD is a declarative, GitOps-based continuous delivery tool designed to simplify and streamline application deployments in Kubernetes environments. As part of the CNCF (Cloud Native Computing Foundation) ecosystem, Argo CD has become a cornerstone for teams embracing cloud-native development practices.
At its core, Argo CD ensures that the desired application state defined in Git repositories is automatically synchronized with the live state of applications running in Kubernetes clusters. This approach eliminates configuration drift, reduces manual intervention, and accelerates the deployment process.
Security Fixes in 2024
Over the past year, the Argo CD team has been relentless in securing the platform, releasing 13 security patches, including:
- 8 medium-severity fixes
- 3 high-severity fixes
- 2 critical fixes
The team also reviewed and resolved 28 vulnerability reports. Below are some of the most significant fixes and their details:
1. Unauthenticated Denial of Service (DoS) via /api/webhook Endpoint
This vulnerability allowed unauthenticated attackers to send specially crafted large JSON payloads to the /api/webhook endpoint. The excessive memory allocation caused service disruptions due to Out-Of-Memory (OOM) kills.
- Severity: High (7.5)
- GHSA-jmvp-698c-4x3w
2. Risky or Missing Cryptographic Algorithms in Redis Cache
The Redis database was not password-protected by default, allowing attackers to manipulate cache data, execute unauthorized deployments, and potentially take over the cluster. The fix included encrypting and signing all Redis database values.
- Severity: Critical (9.1)
- GHSA-9766-5277-j5hr
3. Cross-Site Scripting (XSS) in Application Summary Component
An XSS vulnerability allowed attackers to inject JavaScript links into the UI. When clicked, these scripts executed with victim permissions, enabling actions such as creating, modifying, or deleting Kubernetes resources on the victim’s behalf.
- Severity: Critical (9.1)
- GHSA-jwv5-8mqv-g387
4. Cluster Secret Leakage in Cluster Details Page
Cluster secrets stored in the kubectl.kubernetes.io/last-applied-configuration annotation were exposed through the ArgoCD API. This posed a risk when bearer tokens or sensitive credentials were stored in secrets.
- Severity: High (9.9)
- GHSA-fwr2-64vr-xv9m
5. Denial of Service via Malicious jqPathExpressions
Malicious jqPathExpressions caused out-of-memory errors during deployment operations. This vulnerability has been mitigated by validating such expressions and enforcing memory usage limits.
- Severity: Medium (6.5)
- GHSA-9m6p-x4h2-6frq
6. Uncontrolled Resource Consumption in the Repo Server
The repo-server component was vulnerable to a DoS attack by fetching unbounded data from malicious Helm registries. Enhancements to the loadRepoIndex() function now enforce size and time limits during data retrieval.
- Severity: Medium (6.5)
- GHSA-jhwx-mhww-rgc3
Acknowledgments
We extend our deepest gratitude to the ArgoCD team for their dedicated efforts in identifying and resolving these vulnerabilities. Special thanks to security reporters and collaborators, including teams from Intuit, Red Hat, and Codefresh, for their invaluable contributions in discovering and addressing these issues.
Internet Bug Bounty Program
The Argoproj team takes security very seriously and is continuously working on improving it.
We partner with HackerOne’s Internet Bug Bounty program to reward those who responsibly report and help fix security vulnerabilities in Argo CD, Events, Rollouts, and Workflows.
Report vulnerabilities per our security policy, and we’ll determine eligibility and guide you in claiming a bounty.
Together, we continue to make ArgoCD a secure and reliable tool for the Kubernetes and DevOps communities.