CVE-2023-25163

Argo CD leaks repository credentials in user-facing error messages and in logs

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have `applications, create` or `applications, update` RBAC access to reach the code which may produce the error. The user is not guaranteed to be able to trigger the error message. They may attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the user has `repositories, update` access, they may edit an existing repository to introduce a URL typo or otherwise force an error message. But if they have that level of access, they are probably intended to have access to the credentials anyway. A patch for this vulnerability has been released in version 2.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-02-03 CVE Reserved
2023-02-08 CVE Published
2024-08-02 CVE Updated
2024-08-31 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-532: Insertion of Sensitive Information into Log File

CAPEC

References (4)

URL	Tag	Source
https://argo-cd.readthedocs.io/en/stable/operator-manual/rbac	Not Applicable
https://github.com/argoproj/argo-cd/issues/12309	Issue Tracking

URL	Date	SRC

URL	Date	SRC
https://github.com/argoproj/argo-cd/pull/12320	2023-02-18

URL	Date	SRC
https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw	2023-02-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linuxfoundation Search vendor "Linuxfoundation"		Argo Continuous Delivery Search vendor "Linuxfoundation" for product "Argo Continuous Delivery"				2.6.0 Search vendor "Linuxfoundation" for product "Argo Continuous Delivery" and version "2.6.0"		kubernetes		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Argo Continuous Delivery Search vendor "Linuxfoundation" for product "Argo Continuous Delivery"				2.6.0 Search vendor "Linuxfoundation" for product "Argo Continuous Delivery" and version "2.6.0"		rc1, kubernetes		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Argo Continuous Delivery Search vendor "Linuxfoundation" for product "Argo Continuous Delivery"				2.6.0 Search vendor "Linuxfoundation" for product "Argo Continuous Delivery" and version "2.6.0"		rc2, kubernetes		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Argo Continuous Delivery Search vendor "Linuxfoundation" for product "Argo Continuous Delivery"				2.6.0 Search vendor "Linuxfoundation" for product "Argo Continuous Delivery" and version "2.6.0"		rc3, kubernetes		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Argo Continuous Delivery Search vendor "Linuxfoundation" for product "Argo Continuous Delivery"				2.6.0 Search vendor "Linuxfoundation" for product "Argo Continuous Delivery" and version "2.6.0"		rc4, kubernetes		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Argo Continuous Delivery Search vendor "Linuxfoundation" for product "Argo Continuous Delivery"				2.6.0 Search vendor "Linuxfoundation" for product "Argo Continuous Delivery" and version "2.6.0"		rc5, kubernetes		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Argo Continuous Delivery Search vendor "Linuxfoundation" for product "Argo Continuous Delivery"				2.6.0 Search vendor "Linuxfoundation" for product "Argo Continuous Delivery" and version "2.6.0"		rc6, kubernetes		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Argo Continuous Delivery Search vendor "Linuxfoundation" for product "Argo Continuous Delivery"				2.6.0 Search vendor "Linuxfoundation" for product "Argo Continuous Delivery" and version "2.6.0"		rc7, kubernetes		Affected