Skip to content

[GHSA-274v-mgcv-cm8j] Argo CD GitOps Engine does not scrub secret values from patch errors #5689

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jun 17, 2025
Merged

[GHSA-274v-mgcv-cm8j] Argo CD GitOps Engine does not scrub secret values from patch errors #5689

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 41 additions & 4 deletions advisories/github-reviewed/2025/01/GHSA-274v-mgcv-cm8j/GHSA-274v-mgcv-cm8j.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
{
"schema_version": "1.4.0",
"id": "GHSA-274v-mgcv-cm8j",
"modified": "2025-02-05T16:31:11Z",
"modified": "2025-02-05T16:31:13Z",
"published": "2025-01-30T17:51:33Z",
"aliases": [],
"summary": "Argo CD GitOps Engine does not scrub secret values from patch errors",
"details": "### Impact\nA vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. \n\nThe vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.\n\n### Patches\nA patch for this vulnerability is available in the following Argo CD versions:\n- v2.13.4\n- v2.12.10\n- v2.11.13\n\n### Workarounds\nThere is no workaround other than upgrading.\n\n### References\nFixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca",
"details": "### Impact\nA vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. \n\nThe vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. \n\nThe vulnerability was specific to the Argo CD GitOps Engine which is a required dependency of Argo CD. At some point the versions of the two repositories were synced. The go package in Argo CD was not updated to the new versioning; instead this patch was pulled in via specific commit which keeps the version at 0.7.1 but with date and commit hash. \n\n### Patches\nArgo CD GitOps Engine patch [release-2.12](https://github.com/argoproj/gitops-engine/commit/faf5a4e5c37d22fedaa2726b430af5b5ae9e567a) which is the same commit as 0.7.1-0.20250129155113-faf5a4e5c37d\n\nA patch for this vulnerability is available in the following Argo CD versions:\n- v2.13.4: https://github.com/argoproj/argo-cd/commit/10b9589f1cefda9b3559708abef3b3c316e99971\n- v2.12.10: https://github.com/argoproj/argo-cd/commit/a9d8027d4a8bf3230e16063d4a24fbcaa3a8b457\n- v2.11.13: https://github.com/argoproj/argo-cd/commit/fa988be375842e78d241a04c27c98ae1e14d69e6\n\n### Workarounds\nThere is no workaround other than upgrading.\n\n### References\nFixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca",
"severity": [
{
"type": "CVSS_V3",
Expand All @@ -26,11 +26,36 @@
"introduced": "0"
},
{
"last_affected": "0.7.3"
"fixed": "v0.7.1-0.20250129155113-faf5a4e5c37d"
}
]
}
]
],
"database_specific": {
"last_known_affected_version_range": "<= 0.7.3"
}
},
{
"package": {
"ecosystem": "Go",
"name": "https://github.com/argoproj/argo-cd"
},
"ranges": [
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.13,2.12.10,2.13.4"
}
]
}
],
"database_specific": {
"last_known_affected_version_range": "< 2.13.4"
}
}
],
"references": [
Expand All @@ -42,10 +67,22 @@
"type": "WEB",
"url": "https://github.com/argoproj/gitops-engine/security/advisories/GHSA-274v-mgcv-cm8j"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/10b9589f1cefda9b3559708abef3b3c316e99971"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/a9d8027d4a8bf3230e16063d4a24fbcaa3a8b457"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/argo-cd/commit/fa988be375842e78d241a04c27c98ae1e14d69e6"
},
{
"type": "WEB",
"url": "https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca"
Expand Down
Loading