SB2025013065 - Inclusion of Sensitive Information in Log Files in Argo CD

Description

This security bulletin contains information about 1 vulnerability.

1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2025-23216)

CWE-ID: CWE-532 - Information Exposure Through Log Files

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper handling of secret values in patch errors and diff view in Argo CD when syncing an invalid Kubernetes Secret resource from a repository. A remote privileged user can commit an invalid Secret to a repository and trigger a sync to disclose sensitive information.

Once exploited, secret data may be visible to users with read access to Argo CD.

Remediation

Install update from vendor's website.

References

• https://github.com/argoproj/argo-cd/security/advisories/GHSA-47g2-qmh2-749v
• https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107