CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-40584 – Denial of Service to Argo CD repo-server
https://notcve.org/view.php?id=CVE-2023-40584
07 Sep 2023 — Argo CD is a declarative continuous deployment for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file without validating the size of its inner files. As a result, a malicious, low-privileged user can send a malicious tar.gz file that exploits this vulnerability to the repo-server, thereby harming the system's functionality and availa... • https://github.com/argoproj/argo-cd/commit/b8f92c4ff226346624f43de3f25d81dac6386674 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 9.9EPSS: 1%CPEs: 3EXPL: 2CVE-2023-40029 – Cluster secret might leak in cluster details page in Argo CD
https://notcve.org/view.php?id=CVE-2023-40029
07 Sep 2023 — Argo CD is a declarative continuous deployment for Kubernetes. Argo CD Cluster secrets might be managed declaratively using Argo CD / kubectl apply. As a result, the full secret body is stored in`kubectl.kubernetes.io/last-applied-configuration` annotation. pull request #7139 introduced the ability to manage cluster labels and annotations. Since clusters are stored as secrets it also exposes the `kubectl.kubernetes.io/last-applied-configuration` annotation which includes full secret body. In order to view t... • https://github.com/guobei233/CVE-2023-40029 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-25163 – Argo CD leaks repository credentials in user-facing error messages and in logs
https://notcve.org/view.php?id=CVE-2023-25163
08 Feb 2023 — Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have `applications, create` or `applications, update` RBAC access to reach the c... • https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac • CWE-532: Insertion of Sensitive Information into Log File •