GHSA-6W87-G839-9WV7

Vulnerability from github – Published: 2021-05-21 14:31 – Updated: 2021-10-05 16:35
VLAI?
Summary
Helm OCI credentials leaked into Argo CD logs
Details

Impact

When Argo CD was connected to a Helm OCI repository with authentication enabled, the credentials used for accessing the remote repository were logged.

Anyone with access to the pod logs - either via access with appropriate permissions to the Kubernetes control plane or a third party log management system where the logs from Argo CD were aggregated - could have potentially obtained the credentials to the Helm OCI repository.

If you are using Helm OCI repositories with Argo CD, it is strongly recommended to upgrade Argo CD to the latest patch version and to change the credentials used to access the repositories.

Patches

A patch for this vulnerability is available with the v1.8.7 and v1.7.14 releases of Argo CD.

Workarounds

No workaround available

References

N/A

For more information

If you have any questions or comments about this advisory:

Credits

This vulnerability was found and reported by a third-party who wishes to stay anonymous. We want to thank this third-party for disclosing this vulnerability to us in a responsible manner.

Severity ?
6.6 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/argoproj/argo-cd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.8.0"
            },
            {
              "fixed": "1.8.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-21T14:21:01Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\nWhen Argo CD was connected to a Helm OCI repository with authentication enabled, the credentials used for accessing the remote repository were logged.\n\nAnyone with access to the pod logs - either via access with appropriate permissions to the Kubernetes control plane or a third party log management system where the logs from Argo CD were aggregated - could have potentially obtained the credentials to the Helm OCI repository.\n\nIf you are using Helm OCI repositories with Argo CD, it is strongly recommended to upgrade Argo CD to the latest patch version and to change the credentials used to access the repositories.\n\n### Patches\n\nA patch for this vulnerability is available with the v1.8.7 and v1.7.14 releases of Argo CD.\n\n### Workarounds\n\nNo workaround available\n\n### References\n\nN/A\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions)\n* Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel `#argo-cd`\n\n### Credits\n\nThis vulnerability was found and reported by a third-party who wishes to stay anonymous. We want to thank this third-party for disclosing this vulnerability to us in a responsible manner.",
  "id": "GHSA-6w87-g839-9wv7",
  "modified": "2021-10-05T16:35:57Z",
  "published": "2021-05-21T14:31:28Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-6w87-g839-9wv7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/argoproj/argo-cd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Helm OCI credentials leaked into Argo CD logs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.