BIT-argo-cd-2023-25163

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/argo-cd/BIT-argo-cd-2023-25163.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-argo-cd-2023-25163
Aliases
Published
2024-03-06T10:51:03.665Z
Modified
2024-03-06T11:25:28.861Z
Summary
[none]
Details

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have applications, create or applications, update RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has repositories, update access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway. A patch for this vulnerability has been released in version 2.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Bitnami / argo-cd

Package

Name
argo-cd
Purl
pkg:bitnami/argo-cd

Severity

  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
2.6.0
Last affected
2.6.0
Introduced
2.6.0-rc1
Last affected
2.6.0-rc1
Introduced
2.6.0-rc2
Last affected
2.6.0-rc2
Introduced
2.6.0-rc3
Last affected
2.6.0-rc3
Introduced
2.6.0-rc4
Last affected
2.6.0-rc4
Introduced
2.6.0-rc5
Last affected
2.6.0-rc5
Introduced
2.6.0-rc6
Last affected
2.6.0-rc6
Introduced
2.6.0-rc7
Last affected
2.6.0-rc7