DescriptionA flaw was found in the ArgoCD package, used by Red Hat GitOps, that allows cluster secrets to be managed declaratively using the `kubectl apply` functionality, resulting in the full secret body being stored in `kubectl.kubernetes.io/last-applied-configuration` annotation. Since ArgoCD has included the ability to manage cluster labels and annotations via its API, an attacker can retrieve sensitive authentication information by leveraging this capability, imposing a high impact on data confidentiality and integrity for the targeted ArgoCD cluster. To perform a successful attack, the malicious actor should have `clusters, get` RBAC access granted to its user.A flaw was found in the ArgoCD package, used by Red Hat GitOps, that allows cluster secrets to be managed declaratively using the kubectl apply functionality, resulting in the full secret body being stored in kubectl.kubernetes.io/last-applied-configuration annotation. Since ArgoCD has included the ability to manage cluster labels and annotations via its API, an attacker can retrieve sensitive authentication information by leveraging this capability, imposing a high impact on data confidentiality and integrity for the targeted ArgoCD cluster. To perform a successful attack, the malicious actor should have clusters, get RBAC access granted to its user.
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.
Vulmon