CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-40584 – Denial of Service to Argo CD repo-server
https://notcve.org/view.php?id=CVE-2023-40584
07 Sep 2023 — Argo CD is a declarative continuous deployment for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file without validating the size of its inner files. As a result, a malicious, low-privileged user can send a malicious tar.gz file that exploits this vulnerability to the repo-server, thereby harming the system's functionality and availa... • https://github.com/argoproj/argo-cd/commit/b8f92c4ff226346624f43de3f25d81dac6386674 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.9EPSS: 1%CPEs: 3EXPL: 2CVE-2023-40029 – Cluster secret might leak in cluster details page in Argo CD
https://notcve.org/view.php?id=CVE-2023-40029
07 Sep 2023 — Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configuration` annotation. pull request #7139 introduced the ability to manage cluster labels and annotations. Since clusters are stored as secrets it also exposes the `kubectl.kubernetes.io/last-applied-configuration` annotation which includes full secret body. In order to view t... • https://github.com/guobei233/CVE-2023-40029 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •