Improve GHSA-274v-mgcv-cm8j

xnox · xnox · commit 55b862c9aec5 · 2025-06-13T21:04:31.000+01:00
The https://github.com/argoproj/gitops-engine/branches/all is in a tricky situration w.r.t. version ranges for this vulnerability. release-0.7 branch is obsolete and has the last tagged releases of 0.7.1, 0.7.2, 0.7.3. Active development branches started off 0.7.0 and branch to master ans argo-cd specific version stream. All of them use 0.7.1-DATE-COMMIT pseudoversions. Document that v0.7.1, v0.7.2, v0.7.3 tags are vulnerable. Document that v0.7.1-DATE-COMMIT pseudoversions are vulnerable up to the 2025-01-29 pseudoversion, as that is higher than all obsolete (unmaintained & vulnerable) and matches the just before commit that resolves this CVE in all the remediated branches and all future branches off master. The webform didn't let me construct such version constraints, thus please ensure this is manually verified to be a valid syntax to capture that v0.7.1, v0.7.2, v0.7.3 tags are vulnerable, and that within pseudoversions between v0.7.1 and v0.7.2 there is an affected range of when CVE got remediated across all branches. The approach here tries to use the pseudoversions, and the fact that unremediated branches are stale way prior to 2025-01-29, and that remediation was cherrypicked on the same date with the same commit date, but different git hashes. Thus using pseudoversions to declare a very tight pseudoversion range without any commit from any branch being missdetected as either false positive or false negative. Also see: - github#5689 - github#5721 - argoproj/gitops-engine#736 - golang/vulndb#3760
diff --git a/advisories/github-reviewed/2025/01/GHSA-274v-mgcv-cm8j/GHSA-274v-mgcv-cm8j.json b/advisories/github-reviewed/2025/01/GHSA-274v-mgcv-cm8j/GHSA-274v-mgcv-cm8j.json
@@ -1,11 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-274v-mgcv-cm8j",
-  "modified": "2025-02-05T16:31:11Z",
+  "modified": "2025-06-13T20:01:11Z",
   "published": "2025-01-30T17:51:33Z",
   "aliases": [],
   "summary": "Argo CD GitOps Engine does not scrub secret values from patch errors",
-  "details": "### Impact\nA vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. \n\nThe vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.\n\n### Patches\nA patch for this vulnerability is available in the following Argo CD versions:\n- v2.13.4\n- v2.12.10\n- v2.11.13\n\n### Workarounds\nThere is no workaround other than upgrading.\n\n### References\nFixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca",
+  "details": "### Impact\nA vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. \n\nThe vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.\n\n### Patches\nA patch for this vulnerability is available in the following Argo CD versions:\n- v2.13.4\n- v2.12.10\n- v2.11.13\n- v2.14 and later\n\nAffected branches:\n- release-0.7 (including tags v0.7.0, v0.7.2, v0.7.3)\n- argo-cd-release-2.8\n- argo-cd-release-2.9\n- argo-cd-release-2.10\n\nRemediated branches:\n- argo-cd-release-2.11\n- release-2.12\n- release-2.13\n- release-2.14\n- master\n\n### Workarounds\nUpgrade to commits from remediated branches with pseudo-version higher than v0.7.1-0.20250129155113 and less than v0.7.2.\n\nCurrently webform is preventing me to submit that `>= v0.7.2, <= v0.7.3` are still affected.\n\n### References\nFixed with commit\n- https://github.com/argoproj/gitops-engine/commit/a4b7cc110bf16b01daf5b9c7e0e4f3654dfa62db\n- https://github.com/argoproj/gitops-engine/commit/faf5a4e5c37d22fedaa2726b430af5b5ae9e567a\n- https://github.com/argoproj/gitops-engine/commit/4c6e03c46314d861f05a92440c5f7dd516f85016\n- https://github.com/argoproj/gitops-engine/commit/c19f8cfa4d27b0d1b027c9418409ebdbc28d3169\n- https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -25,6 +25,17 @@
             {
               "introduced": "0"
             },
+            {
+              "fixed": "0.7.1-0.20250129155113"
+            }
+          ]
+        },
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.7.2"
+            },
             {
               "last_affected": "0.7.3"
             }
@@ -66,4 +77,4 @@
     "github_reviewed_at": "2025-01-30T17:51:33Z",
     "nvd_published_at": null
   }
-}
+}
