Vulnerability-Lookup

CVE-2023-25163 (GCVE-0-2023-25163)

Vulnerability from cvelistv5 – Published: 2023-02-08 20:44 – Updated: 2025-03-10 21:14

Title

Argo CD leaks repository credentials in user-facing error messages and in logs

Summary

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have `applications, create` or `applications, update` RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has `repositories, update` access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway. A patch for this vulnerability has been released in version 2.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity ?

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE

CWE-532 - Insertion of Sensitive Information into Log File

Assigner

GitHub_M

References

URL

Tags

	https://github.com/argoproj/argo-cd/security/advi…	x_refsource_CONFIRM
	https://github.com/argoproj/argo-cd/issues/12309	x_refsource_MISC
	https://github.com/argoproj/argo-cd/pull/12320	x_refsource_MISC
	https://argo-cd.readthedocs.io/en/stable/operator…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	argoproj	argo-cd	Affected: >= 2.6.0-rc1, < 2.6.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T11:18:35.638Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/issues/12309",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/issues/12309"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/pull/12320",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/pull/12320"
          },
          {
            "name": "https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-25163",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-10T20:58:07.337918Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-10T21:14:27.698Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "argo-cd",
          "vendor": "argoproj",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.6.0-rc1, \u003c 2.6.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have `applications, create` or `applications, update` RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has `repositories, update` access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway. A patch for this vulnerability has been released in version 2.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-532",
              "description": "CWE-532: Insertion of Sensitive Information into Log File",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-02-08T20:44:17.940Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/issues/12309",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/issues/12309"
        },
        {
          "name": "https://github.com/argoproj/argo-cd/pull/12320",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/pull/12320"
        },
        {
          "name": "https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/"
        }
      ],
      "source": {
        "advisory": "GHSA-mv6w-j4xc-qpfw",
        "discovery": "UNKNOWN"
      },
      "title": "Argo CD leaks repository credentials in user-facing error messages and in logs"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-25163",
    "datePublished": "2023-02-08T20:44:17.940Z",
    "dateReserved": "2023-02-03T16:59:18.245Z",
    "dateUpdated": "2025-03-10T21:14:27.698Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-25163",
      "date": "2026-05-05",
      "epss": "0.00205",
      "percentile": "0.42378"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-25163\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-02-08T21:15:10.847\",\"lastModified\":\"2024-11-21T07:49:13.887\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have `applications, create` or `applications, update` RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has `repositories, update` access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway. A patch for this vulnerability has been released in version 2.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":4.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-532\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.6.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"B006144B-912D-4010-8FD7-5747D1E7978F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.6.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4E9E8774-D703-4CE5-8B90-EE3CD7A45005\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.6.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"EC71D67C-2326-401A-AB60-961A3C500FDC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.6.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"F78053BA-9B03-4831-881A-8C71C8B583D8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.6.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"F5C06F6A-AB8A-4633-912E-B07046ECF5C8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.6.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"9B7D280E-A667-423A-ACE6-293D7AE8CC74\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.6.0:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"B4488059-5CCC-445F-B65C-A16055CD7DC0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:argoproj:argo_cd:2.6.0:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"B2A7FB64-3210-4D5B-B1C5-0CCBE334B6F6\"}]}]}],\"references\":[{\"url\":\"https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/argoproj/argo-cd/issues/12309\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/argoproj/argo-cd/pull/12320\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Not Applicable\"]},{\"url\":\"https://github.com/argoproj/argo-cd/issues/12309\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/argoproj/argo-cd/pull/12320\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw\", \"name\": \"https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/argoproj/argo-cd/issues/12309\", \"name\": \"https://github.com/argoproj/argo-cd/issues/12309\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/argoproj/argo-cd/pull/12320\", \"name\": \"https://github.com/argoproj/argo-cd/pull/12320\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/\", \"name\": \"https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T11:18:35.638Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-25163\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-03-10T20:58:07.337918Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-03-10T20:58:08.581Z\"}}], \"cna\": {\"title\": \"Argo CD leaks repository credentials in user-facing error messages and in logs\", \"source\": {\"advisory\": \"GHSA-mv6w-j4xc-qpfw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"argoproj\", \"product\": \"argo-cd\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.6.0-rc1, \u003c 2.6.1\"}]}], \"references\": [{\"url\": \"https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw\", \"name\": \"https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/argoproj/argo-cd/issues/12309\", \"name\": \"https://github.com/argoproj/argo-cd/issues/12309\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/argoproj/argo-cd/pull/12320\", \"name\": \"https://github.com/argoproj/argo-cd/pull/12320\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/\", \"name\": \"https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have `applications, create` or `applications, update` RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has `repositories, update` access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway. A patch for this vulnerability has been released in version 2.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-532\", \"description\": \"CWE-532: Insertion of Sensitive Information into Log File\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-02-08T20:44:17.940Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-25163\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-03-10T21:14:27.698Z\", \"dateReserved\": \"2023-02-03T16:59:18.245Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-02-08T20:44:17.940Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GSD-2023-25163

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-25163

Aliases

CVE-2023-25163

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-25163",
    "id": "GSD-2023-25163"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-25163"
      ],
      "details": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have `applications, create` or `applications, update` RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has `repositories, update` access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway. A patch for this vulnerability has been released in version 2.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
      "id": "GSD-2023-25163",
      "modified": "2023-12-13T01:20:39.957961Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-25163",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "argo-cd",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003e= 2.6.0-rc1, \u003c 2.6.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "argoproj"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have `applications, create` or `applications, update` RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has `repositories, update` access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway. A patch for this vulnerability has been released in version 2.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-532",
                "lang": "eng",
                "value": "CWE-532: Insertion of Sensitive Information into Log File"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw",
            "refsource": "MISC",
            "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/issues/12309",
            "refsource": "MISC",
            "url": "https://github.com/argoproj/argo-cd/issues/12309"
          },
          {
            "name": "https://github.com/argoproj/argo-cd/pull/12320",
            "refsource": "MISC",
            "url": "https://github.com/argoproj/argo-cd/pull/12320"
          },
          {
            "name": "https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/",
            "refsource": "MISC",
            "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-mv6w-j4xc-qpfw",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=v2.6.0-rc1 \u003cv2.6.1",
          "affected_versions": "All versions starting from 2.6.0-rc1 before 2.6.1",
          "cwe_ids": [
            "CWE-1035",
            "CWE-532",
            "CWE-937"
          ],
          "date": "2023-02-08",
          "description": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have `applications, create` or `applications, update` RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has `repositories, update` access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway. A patch for this vulnerability has been released in version 2.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
          "fixed_versions": [
            "v2.6.1"
          ],
          "identifier": "CVE-2023-25163",
          "identifiers": [
            "GHSA-mv6w-j4xc-qpfw",
            "CVE-2023-25163"
          ],
          "not_impacted": "All versions before 2.6.0-rc1, all versions starting from 2.6.1",
          "package_slug": "go/github.com/argoproj/argo-cd",
          "pubdate": "2023-02-08",
          "solution": "Upgrade to version 2.6.1 or above.",
          "title": "Insertion of Sensitive Information into Log File",
          "urls": [
            "https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-25163",
            "https://github.com/argoproj/argo-cd/issues/12309",
            "https://github.com/argoproj/argo-cd/pull/12320",
            "https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/",
            "https://github.com/advisories/GHSA-mv6w-j4xc-qpfw"
          ],
          "uuid": "20ab6d52-1ee0-441e-8cc5-3d80ab7b3dc8",
          "versions": [
            {
              "commit": {
                "sha": "81e40d53fe8eee50b00ab38c4b07b34b3dcd6d25",
                "tags": [
                  "v2.6.0-rc1"
                ],
                "timestamp": "20221219163627"
              },
              "number": "v2.6.0-rc1"
            },
            {
              "commit": {
                "sha": "3f143c9307f99a61bf7049a2b1c7194699a7c21b",
                "tags": [
                  "v2.6.1"
                ],
                "timestamp": "20230208183536"
              },
              "number": "v2.6.1"
            }
          ]
        },
        {
          "affected_range": "\u003e=v2.6.0-rc1 \u003cv2.6.1",
          "affected_versions": "All versions starting from 2.6.0-rc1 before 2.6.1",
          "cwe_ids": [
            "CWE-1035",
            "CWE-532",
            "CWE-937"
          ],
          "date": "2023-02-15",
          "description": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have `applications, create` or `applications, update` RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has `repositories, update` access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway. A patch for this vulnerability has been released in version 2.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.",
          "fixed_versions": [
            "v2.6.1"
          ],
          "identifier": "CVE-2023-25163",
          "identifiers": [
            "GHSA-mv6w-j4xc-qpfw",
            "CVE-2023-25163"
          ],
          "not_impacted": "All versions before 2.6.0-rc1, all versions starting from 2.6.1",
          "package_slug": "go/github.com/argoproj/argo-cd/v2",
          "pubdate": "2023-02-08",
          "solution": "Upgrade to version 2.6.1 or above.",
          "title": "Insertion of Sensitive Information into Log File",
          "urls": [
            "https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-25163",
            "https://github.com/argoproj/argo-cd/issues/12309",
            "https://github.com/argoproj/argo-cd/pull/12320",
            "https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/",
            "https://pkg.go.dev/vuln/GO-2023-1548",
            "https://github.com/advisories/GHSA-mv6w-j4xc-qpfw"
          ],
          "uuid": "a20205eb-3b62-467d-a9f7-de11bde96144",
          "versions": [
            {
              "commit": {
                "sha": "81e40d53fe8eee50b00ab38c4b07b34b3dcd6d25",
                "tags": [
                  "v2.6.0-rc1"
                ],
                "timestamp": "20221219163627"
              },
              "number": "v2.6.0-rc1"
            },
            {
              "commit": {
                "sha": "3f143c9307f99a61bf7049a2b1c7194699a7c21b",
                "tags": [
                  "v2.6.1"
                ],
                "timestamp": "20230208183536"
              },
              "number": "v2.6.1"
            }
          ]
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:linuxfoundation:argo_continuous_delivery:2.6.0:rc1:*:*:*:kubernetes:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:linuxfoundation:argo_continuous_delivery:2.6.0:rc2:*:*:*:kubernetes:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:linuxfoundation:argo_continuous_delivery:2.6.0:rc3:*:*:*:kubernetes:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:linuxfoundation:argo_continuous_delivery:2.6.0:rc4:*:*:*:kubernetes:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:linuxfoundation:argo_continuous_delivery:2.6.0:rc5:*:*:*:kubernetes:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:linuxfoundation:argo_continuous_delivery:2.6.0:rc6:*:*:*:kubernetes:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:linuxfoundation:argo_continuous_delivery:2.6.0:rc7:*:*:*:kubernetes:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:linuxfoundation:argo_continuous_delivery:2.6.0:-:*:*:*:kubernetes:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-25163"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have `applications, create` or `applications, update` RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has `repositories, update` access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway. A patch for this vulnerability has been released in version 2.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-532"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/argoproj/argo-cd/issues/12309",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Third Party Advisory"
              ],
              "url": "https://github.com/argoproj/argo-cd/issues/12309"
            },
            {
              "name": "https://github.com/argoproj/argo-cd/pull/12320",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/argoproj/argo-cd/pull/12320"
            },
            {
              "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw"
            },
            {
              "name": "https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/",
              "refsource": "MISC",
              "tags": [
                "Not Applicable"
              ],
              "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2023-02-18T21:48Z",
      "publishedDate": "2023-02-08T21:15Z"
    }
  }
}

GHSA-MV6W-J4XC-QPFW

Vulnerability from github – Published: 2023-02-08 22:37 – Updated: 2024-09-12 17:51

Summary

Argo CD leaks repository credentials in user-facing error messages and in logs

Details

Impact

All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have applications, create or applications, update RBAC access to reach the code which may produce the error.

The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository.

If the user has repositories, update access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway.

Patches

A patch for this vulnerability has been released in the following Argo CD version:

v2.6.1

Workarounds

The only way to completely resolve the issue is to upgrade.

Mitigations

To mitigate the issue, make sure that your repo credentials have only least necessary privileges. For example, the credentials should not have push access, and they should not have access to more resources than what Argo CD actually needs (for example, a whole GitHub org when only one repo is needed).

To further mitigate the impact of a leaked write-capable repo credential, you could enable commit signature verification. Even if someone could push a malicious commit, the commit would not by synced.

You should also enforce least privileges in Argo CD RBAC. Make sure users only have repositories, update, applications, update, or applications, create access if they absolutely need it.

References

The problem was initially reported in a GitHub issue
Argo CD RBAC configuration documentation

For more information

Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd

Severity ?

6.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0-rc1"
            },
            {
              "fixed": "2.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-25163"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-08T22:37:10Z",
    "nvd_published_at": "2023-02-08T21:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nAll versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have `applications, create` or `applications, update` RBAC access to reach the code which may produce the error.\n\nThe user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. \n\nIf the user has `repositories, update` access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway.\n\n### Patches\n\nA patch for this vulnerability has been released in the following Argo CD version:\n\n* v2.6.1\n\n### Workarounds\n\nThe only way to completely resolve the issue is to upgrade.\n\n#### Mitigations\n\nTo mitigate the issue, make sure that your repo credentials have only least necessary privileges. For example, the credentials should not have push access, and they should not have access to more resources than what Argo CD actually needs (for example, a whole GitHub org when only one repo is needed).\n\nTo further mitigate the impact of a leaked write-capable repo credential, you could [enable commit signature verification](https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/#enforcing-signature-verification). Even if someone could push a malicious commit, the commit would not by synced.\n\nYou should also enforce least privileges in Argo CD RBAC. Make sure users only have `repositories, update`, `applications, update`, or `applications, create` access if they absolutely need it.\n\n### References\n\n* The problem was initially reported in a [GitHub issue](https://github.com/argoproj/argo-cd/issues/12309)\n* [Argo CD RBAC configuration documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/)\n\n### For more information\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd\n",
  "id": "GHSA-mv6w-j4xc-qpfw",
  "modified": "2024-09-12T17:51:53Z",
  "published": "2023-02-08T22:37:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25163"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/issues/12309"
    },
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/pull/12320"
    },
    {
      "type": "WEB",
      "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/argoproj/argo-cd"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2023-1548"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Argo CD leaks repository credentials in user-facing error messages and in logs"
}

BDU:2023-00763

Vulnerability from fstec - Published: 03.02.2023

Title

Уязвимость интерфейса декларативного инструмента непрерывной доставки GitOps для Kubernetes Argo CD, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Description

Уязвимость интерфейса декларативного инструмента непрерывной доставки GitOps для Kubernetes Argo CD связана с раскрытием информации через регистрационные файлы. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить несанкционированный доступ к защищаемой информации

Severity ?


                    
                      AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Vendor

The Linux Foundation

Software Name

Argo CD

Software Version

от 2.6.0-rc1 до 2.6.1 (Argo CD)

Possible Mitigations

Использование рекомендаций: https://github.com/argoproj/argo-cd/pull/12320 https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw https://github.com/golang/vulndb/issues/1548 https://github.com/argoproj/argo-cd/issues/12309 Компенсирующие меры: 1. Обеспечить минимальные привилегии, применив политику на основе ролей (Role Based Access Control, RBAC), чтобы у пользователей для выполнения действий: «repositories, update», «applications, update» или «applications, create» был доступ только в случае крайней необходимости. 2. Настроить принудительную проверку подписи объекта фиксации (инструкция: https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/#enforcing-signature-verification)

Reference

https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/ https://github.com/argoproj/argo-cd/issues/12309 https://github.com/argoproj/argo-cd/pull/12320 https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw https://nvd.nist.gov/vuln/detail/CVE-2023-25163 https://vuldb.com/ru/?id.220463 https://github.com/golang/vulndb/issues/1548

CWE

CWE-532

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:H/Au:N/C:C/I:N/A:N",
  "CVSS 3.0": "AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "The Linux Foundation",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u043e\u0442 2.6.0-rc1 \u0434\u043e 2.6.1 (Argo CD)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\nhttps://github.com/argoproj/argo-cd/pull/12320\nhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw\nhttps://github.com/golang/vulndb/issues/1548\nhttps://github.com/argoproj/argo-cd/issues/12309\n\n\u041a\u043e\u043c\u043f\u0435\u043d\u0441\u0438\u0440\u0443\u044e\u0449\u0438\u0435 \u043c\u0435\u0440\u044b:\n1. \u041e\u0431\u0435\u0441\u043f\u0435\u0447\u0438\u0442\u044c \u043c\u0438\u043d\u0438\u043c\u0430\u043b\u044c\u043d\u044b\u0435 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438, \u043f\u0440\u0438\u043c\u0435\u043d\u0438\u0432 \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0443 \u043d\u0430 \u043e\u0441\u043d\u043e\u0432\u0435 \u0440\u043e\u043b\u0435\u0439 (Role Based Access Control, RBAC), \u0447\u0442\u043e\u0431\u044b \u0443 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u0439 \u0434\u043b\u044f \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0439: \u00abrepositories, update\u00bb, \u00abapplications, update\u00bb \u0438\u043b\u0438 \u00abapplications, create\u00bb \u0431\u044b\u043b \u0434\u043e\u0441\u0442\u0443\u043f \u0442\u043e\u043b\u044c\u043a\u043e \u0432 \u0441\u043b\u0443\u0447\u0430\u0435 \u043a\u0440\u0430\u0439\u043d\u0435\u0439 \u043d\u0435\u043e\u0431\u0445\u043e\u0434\u0438\u043c\u043e\u0441\u0442\u0438.\n2. \u041d\u0430\u0441\u0442\u0440\u043e\u0438\u0442\u044c \u043f\u0440\u0438\u043d\u0443\u0434\u0438\u0442\u0435\u043b\u044c\u043d\u0443\u044e \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0443 \u043f\u043e\u0434\u043f\u0438\u0441\u0438 \u043e\u0431\u044a\u0435\u043a\u0442\u0430 \u0444\u0438\u043a\u0441\u0430\u0446\u0438\u0438 (\u0438\u043d\u0441\u0442\u0440\u0443\u043a\u0446\u0438\u044f: https://argo-cd.readthedocs.io/en/stable/user-guide/gpg-verification/#enforcing-signature-verification)",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "03.02.2023",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "17.02.2023",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "17.02.2023",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2023-00763",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2023-25163",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0430\u0440\u0445\u0438\u0442\u0435\u043a\u0442\u0443\u0440\u044b",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Argo CD",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u0434\u0435\u043a\u043b\u0430\u0440\u0430\u0442\u0438\u0432\u043d\u043e\u0433\u043e \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 \u043d\u0435\u043f\u0440\u0435\u0440\u044b\u0432\u043d\u043e\u0439 \u0434\u043e\u0441\u0442\u0430\u0432\u043a\u0438 GitOps \u0434\u043b\u044f Kubernetes Argo CD, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0420\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u0447\u0435\u0440\u0435\u0437 \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0435 \u0444\u0430\u0439\u043b\u044b (CWE-532)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u0434\u0435\u043a\u043b\u0430\u0440\u0430\u0442\u0438\u0432\u043d\u043e\u0433\u043e \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442\u0430 \u043d\u0435\u043f\u0440\u0435\u0440\u044b\u0432\u043d\u043e\u0439 \u0434\u043e\u0441\u0442\u0430\u0432\u043a\u0438 GitOps \u0434\u043b\u044f Kubernetes Argo CD \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0440\u0430\u0441\u043a\u0440\u044b\u0442\u0438\u0435\u043c \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438 \u0447\u0435\u0440\u0435\u0437 \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0435 \u0444\u0430\u0439\u043b\u044b. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0441\u0431\u043e\u0440 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/ \nhttps://github.com/argoproj/argo-cd/issues/12309 \nhttps://github.com/argoproj/argo-cd/pull/12320 \nhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-25163\nhttps://vuldb.com/ru/?id.220463\nhttps://github.com/golang/vulndb/issues/1548",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-532",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 5,4)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,3)"
}

FKIE_CVE-2023-25163

Vulnerability from fkie_nvd - Published: 2023-02-08 21:15 - Updated: 2024-11-21 07:49

Severity ?

6.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/	Not Applicable
security-advisories@github.com	https://github.com/argoproj/argo-cd/issues/12309	Issue Tracking, Third Party Advisory
security-advisories@github.com	https://github.com/argoproj/argo-cd/pull/12320	Patch
security-advisories@github.com	https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/	Not Applicable
af854a3a-2127-422b-91ae-364da2661108	https://github.com/argoproj/argo-cd/issues/12309	Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/argoproj/argo-cd/pull/12320	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw	Vendor Advisory

Impacted products

Vendor	Product	Version
argoproj	argo_cd	2.6.0
argoproj	argo_cd	2.6.0
argoproj	argo_cd	2.6.0
argoproj	argo_cd	2.6.0
argoproj	argo_cd	2.6.0
argoproj	argo_cd	2.6.0
argoproj	argo_cd	2.6.0
argoproj	argo_cd	2.6.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:2.6.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "B006144B-912D-4010-8FD7-5747D1E7978F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:2.6.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "4E9E8774-D703-4CE5-8B90-EE3CD7A45005",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:2.6.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "EC71D67C-2326-401A-AB60-961A3C500FDC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:2.6.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "F78053BA-9B03-4831-881A-8C71C8B583D8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:2.6.0:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "F5C06F6A-AB8A-4633-912E-B07046ECF5C8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:2.6.0:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "9B7D280E-A667-423A-ACE6-293D7AE8CC74",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:2.6.0:rc6:*:*:*:*:*:*",
              "matchCriteriaId": "B4488059-5CCC-445F-B65C-A16055CD7DC0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:argoproj:argo_cd:2.6.0:rc7:*:*:*:*:*:*",
              "matchCriteriaId": "B2A7FB64-3210-4D5B-B1C5-0CCBE334B6F6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have `applications, create` or `applications, update` RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has `repositories, update` access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway. A patch for this vulnerability has been released in version 2.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability."
    }
  ],
  "id": "CVE-2023-25163",
  "lastModified": "2024-11-21T07:49:13.887",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 4.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-02-08T21:15:10.847",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://github.com/argoproj/argo-cd/issues/12309"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/argoproj/argo-cd/pull/12320"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Not Applicable"
      ],
      "url": "https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://github.com/argoproj/argo-cd/issues/12309"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/argoproj/argo-cd/pull/12320"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-532"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-25163 (GCVE-0-2023-25163)

GSD-2023-25163

GHSA-MV6W-J4XC-QPFW

Impact

Patches

Workarounds

Mitigations

References

For more information

BDU:2023-00763

FKIE_CVE-2023-25163

Tags

Sightings

Nomenclature