x/vulndb: potential Go vuln in github.com/argoproj/gitops-engine: GHSA-274v-mgcv-cm8j

[GoVulnBot]

Advisory GHSA-274v-mgcv-cm8j references a vulnerability in the following Go modules:

Module
github.com/argoproj/gitops-engine

Description:

Impact

A vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository.

The vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.

Patches

A patch for this vulnerability is available in the following Argo CD versions:

• v2.13.4
• v2.12.10
• v2.11.1...

References:

• ADVISORY: GHSA-274v-mgcv-cm8j
• ADVISORY: GHSA-274v-mgcv-cm8j
• FIX: argoproj/argo-cd@6f5537b
• FIX: argoproj/gitops-engine@7e21b91
• WEB: GHSA-47g2-qmh2-749v

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/argoproj/gitops-engine
      vulnerable_at: 0.7.3
summary: Argo CD GitOps Engine does not scrub secret values from patch errors in github.com/argoproj/gitops-engine
ghsas:
    - GHSA-274v-mgcv-cm8j
references:
    - advisory: https://github.com/advisories/GHSA-274v-mgcv-cm8j
    - advisory: https://github.com/argoproj/gitops-engine/security/advisories/GHSA-274v-mgcv-cm8j
    - fix: https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107
    - fix: https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca
    - web: https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v
source:
    id: GHSA-274v-mgcv-cm8j
    created: 2025-01-30T18:01:16.091346618Z
review_status: UNREVIEWED