Argo CD Kubernetes Secret Extraction Vulnerability via Server-Side Diff

A vulnerability exists in Argo CD versions 3.2.0 prior to 3.2.11 and 3.3.0 prior to 3.3.9, allowing read-only users to extract unmasked Kubernetes Secret data from etcd. This is achieved through the ServerSideDiff endpoint, which improperly handles authorization and data masking. The issue arises because the ServerSideDiff function delivers raw, unmasked data, bypassing Argo CD's usual protections when certain conditions are met. Exploitation is possible if the Secret's data fields are managed by a non-Argo CD field manager, enabling the real values to persist in the response.

Impact

Exploitation allows the extraction of sensitive Kubernetes Secret information, including service account tokens, TLS certificates, database credentials, and API keys.

Reproduction

To reproduce this vulnerability, an authenticated user with read-only access can invoke the ServerSideDiff gRPC/REST endpoint. If the target application has the 'IncludeMutationWebhook' annotation set to true, the endpoint will return unmasked Secret data from etcd, including real values that are normally concealed. This can be automated with a provided proof-of-concept script that extracts Secrets through the vulnerable endpoint.

Remediation

Users can upgrade to Argo CD versions 3.2.11 or 3.3.9, where this vulnerability has been patched.