Ntammineni5

**Name of the Vulnerable Software and Affected Versions** Argo CD versions 2.13.0 through 2.13.8 Argo CD versions 2.14.0 through 2.14.15 Argo CD versions 3.0.0 through 3.0.12 Argo CD version 3.1.0-rc1 through 3.1.1 **Description** Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, contains a flaw where API tokens with project-level permissions can retrieve sensitive repository credentials (usernames, passwords) through the project details **API endpoint**, even when the token lacks explicit access to secrets. This vulnerability affects any token with project 'get' permissions, including global permissions such as `p, role/user, projects, get, *, allow`. Approximately 488,000+ services and 89,000+ results are found to be using Argo CD. **Recommendations** Argo CD versions prior to 2.13.9 Argo CD versions prior to 2.14.16 Argo CD versions prior to 3.0.14 Argo CD versions prior to 3.1.2