{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-23216", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-01-13T17:15:41.051Z", "datePublished": "2025-01-30T15:30:05.405Z", "dateUpdated": "2025-02-12T19:51:12.285Z"}, "containers": {"cna": {"title": "Argo CD does not scrub secret values from patch errors", "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "lang": "en", "description": "CWE-209: Generation of Error Message Containing Sensitive Information", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v"}, {"name": "https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107", "tags": ["x_refsource_MISC"], "url": "https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107"}, {"name": "https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca", "tags": ["x_refsource_MISC"], "url": "https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca"}], "affected": [{"vendor": "argoproj", "product": "argo-cd", "versions": [{"version": ">= 2.13.0, < 2.13.4", "status": "affected"}, {"version": ">= 2.12.0, < 2.12.10", "status": "affected"}, {"version": "< 2.11.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-30T15:30:05.405Z"}, "descriptions": [{"lang": "en", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13."}], "source": {"advisory": "GHSA-47g2-qmh2-749v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-23216", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-30T16:40:31.507364Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:51:12.285Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "matchCriteriaId": "C1D748B7-084E-4C91-804D-82FC2E0E2E26", "versionEndExcluding": "2.11.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "matchCriteriaId": "03CF58BD-4241-43D1-8319-B6130B558B40", "versionEndExcluding": "2.12.10", "versionStartIncluding": "2.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "matchCriteriaId": "B5AFD099-E58F-40C6-80AA-ACCC68F04FD5", "versionEndExcluding": "2.13.4", "versionStartIncluding": "2.13.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13."}, {"lang": "es", "value": "Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. Se descubri\u00f3 una vulnerabilidad en Argo CD que expon\u00eda valores secretos en mensajes de error y en la vista de diferencias cuando se sincronizaba un recurso secreto de Kubernetes no v\u00e1lido desde un repositorio. La vulnerabilidad supone que el usuario tiene acceso de escritura al repositorio y puede explotarla, ya sea intencional o involuntariamente, al confirmar un secreto no v\u00e1lido en el repositorio y activar una sincronizaci\u00f3n. Una vez explotada, cualquier usuario con acceso de lectura a Argo CD puede ver los datos secretos expuestos. La vulnerabilidad se corrigi\u00f3 en las versiones v2.13.4, v2.12.10 y v2.11.13."}], "id": "CVE-2025-23216", "lastModified": "2025-06-06T15:44:21.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-01-30T16:15:31.473", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Patch"], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-209"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-209"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-argocd-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-argocd-rhel9-container-v1.14.3-1", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-argo-rollouts-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-console-plugin-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-dex-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-kam-delivery-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-must-gather-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-operator-bundle-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-operator-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argocd-extensions-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argocd-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argocd-rhel9:v1.15.1-1", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argo-rollouts-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/console-plugin-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/dex-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/gitops-operator-bundle:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/gitops-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/gitops-rhel8-operator:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/must-gather-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}], "bugzilla": {"description": "argocd: Argo CD does not scrub secret values from patch errors", "id": "2342987", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2342987"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "status": "verified"}, "cwe": "(CWE-200|CWE-209)", "details": ["Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13.", "A vulnerability was found in Argo CD where secret values can be exposed in error messages when an invalid Kubernetes Secret resource is synced from a repository. An attacker must have write access to the repository and any user with read access can view the exposed data."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-23216", "public_date": "2025-01-30T15:30:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-23216\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-23216\nhttps://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107\nhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v\nhttps://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca"], "threat_severity": "Moderate"}

{}