{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-23216", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-01-13T17:15:41.051Z", "datePublished": "2025-01-30T15:30:05.405Z", "dateUpdated": "2025-02-12T19:51:12.285Z"}, "containers": {"cna": {"title": "Argo CD does not scrub secret values from patch errors", "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "lang": "en", "description": "CWE-209: Generation of Error Message Containing Sensitive Information", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v"}, {"name": "https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107", "tags": ["x_refsource_MISC"], "url": "https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107"}, {"name": "https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca", "tags": ["x_refsource_MISC"], "url": "https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca"}], "affected": [{"vendor": "argoproj", "product": "argo-cd", "versions": [{"version": ">= 2.13.0, < 2.13.4", "status": "affected"}, {"version": ">= 2.12.0, < 2.12.10", "status": "affected"}, {"version": "< 2.11.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-01-30T15:30:05.405Z"}, "descriptions": [{"lang": "en", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13."}], "source": {"advisory": "GHSA-47g2-qmh2-749v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-23216", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-30T16:40:31.507364Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:51:12.285Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13."}], "id": "CVE-2025-23216", "lastModified": "2025-01-30T16:15:31.473", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-01-30T16:15:31.473", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107"}, {"source": "security-advisories@github.com", "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v"}, {"source": "security-advisories@github.com", "url": "https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-209"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-argocd-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-argocd-rhel9-container-v1.14.3-1", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-argo-rollouts-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-console-plugin-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-dex-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-kam-delivery-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-must-gather-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-operator-bundle-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:3069", "cpe": "cpe:/a:redhat:openshift_gitops:1.14::el8", "package": "openshift-gitops-operator-container-v1.14.3-4", "product_name": "Red Hat OpenShift GitOps 1.14", "release_date": "2025-03-20T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argocd-extensions-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argocd-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argocd-rhel9:v1.15.1-1", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/argo-rollouts-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/console-plugin-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/dex-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/gitops-operator-bundle:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/gitops-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/gitops-rhel8-operator:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}, {"advisory": "RHSA-2025:1888", "cpe": "cpe:/a:redhat:openshift_gitops:1.15::el8", "package": "openshift-gitops-1/must-gather-rhel8:v1.15.1-7", "product_name": "Red Hat OpenShift GitOps 1.15", "release_date": "2025-02-26T00:00:00Z"}], "bugzilla": {"description": "argocd: Argo CD does not scrub secret values from patch errors", "id": "2342987", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2342987"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "status": "verified"}, "cwe": "(CWE-200|CWE-209)", "details": ["Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data. The vulnerability is fixed in v2.13.4, v2.12.10, and v2.11.13.", "A vulnerability was found in Argo CD where secret values can be exposed in error messages when an invalid Kubernetes Secret resource is synced from a repository. An attacker must have write access to the repository and any user with read access can view the exposed data."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-23216", "public_date": "2025-01-30T15:30:05Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-23216\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-23216\nhttps://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107\nhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v\nhttps://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca"], "threat_severity": "Moderate"}