Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.
The API endpoint returning project details does not properly filter sensitive repository credential data before returning the response. An API token with the `projects, get` permission — at both project and global levels (e.g., `p, role/user, projects, get, *, allow`) — can retrieve full repository credentials associated with the project, despite not having explicit access to secrets granted. The error is classified as CWE-200 (exposure of sensitive information to unauthorized parties).
An attacker possessing any API token with project read permission can obtain usernames and passwords to source code repositories, which may lead to repository takeover, code theft, or lateral movement in the CI/CD infrastructure.
Argo CD should be updated to version 2.13.9, 2.14.16, 3.0.14, or 3.1.2, in which the vulnerability has been fixed. Until the update is applied, it is recommended to audit granted API tokens and restrict `projects, get` permissions only to trusted entities.
Argo CD in versions 2.13.0–2.13.8, 2.14.0–2.14.15, 3.0.0–3.0.12, and 3.1.0-rc1–3.1.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HArgoproj Argo Cd
APPArgoproj2.2.0 – 2.13.9 (bez)2.14.0 – 2.14.16 (bez)3.0.0 – 3.0.14 (bez)3.1.0 – 3.1.2 (bez)
Related vulnerabilities
Argo CD: ujawnienie danych Secret Kubernetes przez endpoint ServerSideDiff
XSS w Argo CD — wykonanie akcji w imieniu ofiary via API
Argo CD: nieautoryzowany dostęp do Redis umożliwia privilege escalation
Argo CD: Ominięcie ochrony przed brute force logowania
Argo CD: XSS w adnotacjach linków umożliwia przejęcie uprawnień