Impact
A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository.
The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.
Patches
A patch for this vulnerability is available in the following Argo CD versions:
- v2.13.4
- v2.12.10
- v2.11.13
Workarounds
There is no workaround other than upgrading.
References
Fixed with commit argoproj/argo-cd@6f5537b & argoproj/gitops-engine@7e21b91
References
svghadi Remediation developer
Impact
A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository.
The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.
Patches
A patch for this vulnerability is available in the following Argo CD versions:
Workarounds
There is no workaround other than upgrading.
References
Fixed with commit argoproj/argo-cd@6f5537b & argoproj/gitops-engine@7e21b91
References