Main Vulnerability Database SB2023020876

SB2023020876 - Information disclosure in Argo CD

Published: February 8, 2023

Security Bulletin ID SB2023020876

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2023-25163)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI). The user must have applications, create or applications, update RBAC access to reach the code which may produce the error. A remote user can gain unauthorized access to sensitive information.

Remediation

Install update from vendor's website.

References

https://github.com/argoproj/argo-cd/security/advisories/GHSA-mv6w-j4xc-qpfw