Merge pull request #5723 from xnox/GHSA-274v-mgcv-cm8j

advisory-database[bot] · web-flow · commit 605827202477 · 2025-06-17T14:42:51.000Z
diff --git a/advisories/github-reviewed/2025/01/GHSA-274v-mgcv-cm8j/GHSA-274v-mgcv-cm8j.json b/advisories/github-reviewed/2025/01/GHSA-274v-mgcv-cm8j/GHSA-274v-mgcv-cm8j.json
@@ -1,11 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-274v-mgcv-cm8j",
-  "modified": "2025-02-05T16:31:11Z",
+  "modified": "2025-06-13T20:01:11Z",
   "published": "2025-01-30T17:51:33Z",
   "aliases": [],
   "summary": "Argo CD GitOps Engine does not scrub secret values from patch errors",
-  "details": "### Impact\nA vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. \n\nThe vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.\n\n### Patches\nA patch for this vulnerability is available in the following Argo CD versions:\n- v2.13.4\n- v2.12.10\n- v2.11.13\n\n### Workarounds\nThere is no workaround other than upgrading.\n\n### References\nFixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca",
+  "details": "### Impact\nA vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. \n\nThe vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.\n\n### Patches\nA patch for this vulnerability is available in the following Argo CD versions:\n- v2.13.4\n- v2.12.10\n- v2.11.13\n- v2.14 and later\n\nAffected branches:\n- release-0.7 (including tags v0.7.0, v0.7.2, v0.7.3)\n- argo-cd-release-2.8\n- argo-cd-release-2.9\n- argo-cd-release-2.10\n\nRemediated branches:\n- argo-cd-release-2.11\n- release-2.12\n- release-2.13\n- release-2.14\n- master\n\n### Workarounds\nUpgrade to commits from remediated branches with pseudo-version higher than v0.7.1-0.20250129155113 and less than v0.7.2.\n\nCurrently webform is preventing me to submit that `>= v0.7.2, <= v0.7.3` are still affected.\n\n### References\nFixed with commit\n- https://github.com/argoproj/gitops-engine/commit/a4b7cc110bf16b01daf5b9c7e0e4f3654dfa62db\n- https://github.com/argoproj/gitops-engine/commit/faf5a4e5c37d22fedaa2726b430af5b5ae9e567a\n- https://github.com/argoproj/gitops-engine/commit/4c6e03c46314d861f05a92440c5f7dd516f85016\n- https://github.com/argoproj/gitops-engine/commit/c19f8cfa4d27b0d1b027c9418409ebdbc28d3169\n- https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -25,6 +25,25 @@
             {
               "introduced": "0"
             },
+            {
+              "fixed": "0.7.1-0.20250129155113-4c6e03c46314"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/argoproj/gitops-engine"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.7.2"
+            },
             {
               "last_affected": "0.7.3"
             }
@@ -66,4 +85,4 @@
     "github_reviewed_at": "2025-01-30T17:51:33Z",
     "nvd_published_at": null
   }
-}
+}
