Name of the Vulnerable Software and Affected Versions:

Argo CD versions prior to v2.13.4

Argo CD versions prior to v2.12.10

Argo CD versions prior to v2.11.13

Description:

A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.

Recommendations:

For versions prior to v2.13.4, update to v2.13.4 or later to fix the vulnerability.

For versions prior to v2.12.10, update to v2.12.10 or later to fix the vulnerability.

For versions prior to v2.11.13, update to v2.11.13 or later to fix the vulnerability.

As a temporary workaround is not available, upgrading to the specified versions is the recommended course of action.