**Name of the Vulnerable Software and Affected Versions:**

Argo CD versions 2.13.0 through 2.13.8

Argo CD versions 2.14.0 through 2.14.15

Argo CD versions 3.0.0 through 3.0.12

Argo CD versions 3.1.0-rc1 through 3.1.1

**Description:**

Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes, contains a flaw where API tokens with project-level permissions can retrieve sensitive repository credentials (usernames, passwords) through the project details `API endpoint`, even without explicit access to secrets. Tokens with project get permissions, including global permissions such as `p, role/user, projects, get, *, allow`, are also affected. Approximately 488,000+ services and 89,000+ results are found to be using Argo CD.

**Recommendations:**

Argo CD versions prior to 2.13.9

Argo CD versions prior to 2.14.16

Argo CD versions prior to 3.0.14

Argo CD versions prior to 3.1.2