Impact
When a user with update permissions to an Application was editing a Secret resources's manifest in the UI with invalid input (e.g. adding a new key with a value not encoded in base64), Argo CD would print the contents of the Secret as an error message in JSON format.
As this error message is user visible, this was effectively circumventing the redaction feature of Argo CD. Also, as this error message is being logged, the plain-text contents of the Secret ended up in the log files and possibly, in log management systems.
Patches
Patches for this issue have been released with the v1.7.14 and v1.8.7 versions of Argo CD.
Workarounds
No workaround available.
References
N/A
For more information
If you have any questions or comments about this advisory:
Credits
This vulnerability was found & reported by Ezekiel Keator and and Kevin Haung of Palo Alto Networks.
The Argo CD team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
Impact
When a user with
updatepermissions to an Application was editing aSecretresources's manifest in the UI with invalid input (e.g. adding a new key with a value not encoded in base64), Argo CD would print the contents of theSecretas an error message in JSON format.As this error message is user visible, this was effectively circumventing the redaction feature of Argo CD. Also, as this error message is being logged, the plain-text contents of the
Secretended up in the log files and possibly, in log management systems.Patches
Patches for this issue have been released with the
v1.7.14andv1.8.7versions of Argo CD.Workarounds
No workaround available.
References
N/A
For more information
If you have any questions or comments about this advisory:
#argo-cdCredits
This vulnerability was found & reported by Ezekiel Keator and and Kevin Haung of Palo Alto Networks.
The Argo CD team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue