Argo CD Server-Side Diff Vulnerability Allows Kubernetes Secret Extraction

A vulnerability in Argo CD versions 3.2.0 prior to 3.2.11 and 3.3.0 prior to 3.3.9 allows users with read-only access to extract unmasked Kubernetes Secret data from etcd via the Kubernetes API server's Server-Side Apply dry-run mechanism. This issue arises because the ServerSideDiff endpoint fails to properly mask Secret data, exposing sensitive information such as service account tokens, TLS certificates, database credentials, and API keys. The vulnerability is particularly exploitable on applications with a specific annotation that disables a built-in defense mechanism.

Impact

Exploitation of this vulnerability allows for the extraction of real Kubernetes Secret values, including sensitive data like service account tokens, TLS certificates, database credentials, and API keys.

Reproduction

To reproduce this vulnerability, an authenticated user with Argo CD application get permissions can invoke the ServerSideDiff function on an application that has the annotation 'argocd.argoproj.io/compare-options: IncludeMutationWebhook=true'. This will bypass the normal data-masking for Secrets. The ServerSideDiff call will then return unmasked Secret values from etcd, including sensitive data such as service account tokens and TLS certificates.

Remediation

Users can upgrade to Argo CD versions 3.3.9 or 3.2.11, where this vulnerability has been patched.