Merge pull request #5689 from github/kbsteere-GHSA-274v-mgcv-cm8j

advisory-database[bot] · web-flow · commit 52db7b5c8f5a · 2025-06-17T14:42:48.000Z
diff --git a/advisories/github-reviewed/2025/01/GHSA-274v-mgcv-cm8j/GHSA-274v-mgcv-cm8j.json b/advisories/github-reviewed/2025/01/GHSA-274v-mgcv-cm8j/GHSA-274v-mgcv-cm8j.json
@@ -1,11 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-274v-mgcv-cm8j",
-  "modified": "2025-02-05T16:31:11Z",
+  "modified": "2025-02-05T16:31:13Z",
   "published": "2025-01-30T17:51:33Z",
   "aliases": [],
   "summary": "Argo CD GitOps Engine does not scrub secret values from patch errors",
-  "details": "### Impact\nA vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. \n\nThe vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.\n\n### Patches\nA patch for this vulnerability is available in the following Argo CD versions:\n- v2.13.4\n- v2.12.10\n- v2.11.13\n\n### Workarounds\nThere is no workaround other than upgrading.\n\n### References\nFixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca",
+  "details": "### Impact\nA vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. \n\nThe vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. \n\nThe vulnerability was specific to the Argo CD GitOps Engine which is a required dependency of Argo CD. At some point the versions of the two repositories were synced. The go package in Argo CD was not updated to the new versioning; instead this patch was pulled in via specific commit which keeps the version at 0.7.1 but with date and commit hash. \n\n### Patches\nArgo CD GitOps Engine patch [release-2.12](https://github.com/argoproj/gitops-engine/commit/faf5a4e5c37d22fedaa2726b430af5b5ae9e567a) which is the same commit as 0.7.1-0.20250129155113-faf5a4e5c37d\n\nA patch for this vulnerability is available in the following Argo CD versions:\n- v2.13.4: https://github.com/argoproj/argo-cd/commit/10b9589f1cefda9b3559708abef3b3c316e99971\n- v2.12.10: https://github.com/argoproj/argo-cd/commit/a9d8027d4a8bf3230e16063d4a24fbcaa3a8b457\n- v2.11.13: https://github.com/argoproj/argo-cd/commit/fa988be375842e78d241a04c27c98ae1e14d69e6\n\n### Workarounds\nThere is no workaround other than upgrading.\n\n### References\nFixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -26,11 +26,36 @@
               "introduced": "0"
             },
             {
-              "last_affected": "0.7.3"
+              "fixed": "v0.7.1-0.20250129155113-faf5a4e5c37d"
             }
           ]
         }
-      ]
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.7.3"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "https://github.com/argoproj/argo-cd"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.11.13,2.12.10,2.13.4"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 2.13.4"
+      }
     }
   ],
   "references": [
@@ -42,10 +67,22 @@
       "type": "WEB",
       "url": "https://github.com/argoproj/gitops-engine/security/advisories/GHSA-274v-mgcv-cm8j"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/argoproj/argo-cd/commit/10b9589f1cefda9b3559708abef3b3c316e99971"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/argoproj/argo-cd/commit/a9d8027d4a8bf3230e16063d4a24fbcaa3a8b457"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/argoproj/argo-cd/commit/fa988be375842e78d241a04c27c98ae1e14d69e6"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca"
