Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync.
Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
High
Admin privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
Vulnerable Products 3
| Configuration | From (including) | Up to (excluding) |
|---|---|---|
|
Argoproj Argo_Cd
cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*
|
— |
2.11.13
|
|
Argoproj Argo_Cd
cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*
|
2.12.0
|
2.12.10
|
|
Argoproj Argo_Cd
cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*
|
2.13.0
|
2.13.4
|
References 3
https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e…
security-advisories@github.com
https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v
security-advisories@github.com
https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c…
security-advisories@github.com