PT-2025-4855 · Argo Cd+1 · Argo Cd+1
Jannfis
+1
·
Published
2025-01-30
·
Updated
2025-06-06
·
CVE-2025-23216
CVSS v3.1
6.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Argo CD versions prior to v2.13.4
Argo CD versions prior to v2.12.10
Argo CD versions prior to v2.11.13
Description
A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.
Recommendations
For versions prior to v2.13.4, update to v2.13.4 or later to fix the vulnerability.
For versions prior to v2.12.10, update to v2.12.10 or later to fix the vulnerability.
For versions prior to v2.11.13, update to v2.11.13 or later to fix the vulnerability.
As a temporary workaround is not available, upgrading to the specified versions is the recommended course of action.
Exploit
Fix
Generation of Error Message Containing Sensitive Information
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Argo Cd
Suse