cnvd - cnvd-2021-36102

cnvd-2021-36102

Vulnerability from cnvd

Title: Argo信息泄露漏洞（CNVD-2021-36102）

Description:

Argo是一款开源的容器本机工作流引擎。

Argo CD存在安全漏洞。该漏洞源于程序的Web UI中的系统数据暴露于未经授权的Control Sphere漏洞中，攻击者可以将泄漏的机密数据导致泄漏到Web UI错误消息和日志中。

Severity: 中

Patch Name: Argo信息泄露漏洞（CNVD-2021-36102）的补丁

Patch Description:

Argo是一款开源的容器本机工作流引擎。

Argo CD存在安全漏洞。该漏洞源于程序的Web UI中的系统数据暴露于未经授权的Control Sphere漏洞中，攻击者可以将泄漏的机密数据导致泄漏到Web UI错误消息和日志中。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://github.com/argoproj/argo-cd/security/advisories/GHSA-fp89-h8pj-8894

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-23135

Impacted products

Name
['Argo Argo CD >=1.8，<1.8.7', 'Argo Argo CD >=1.7，<1.7.14']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-23135"
    }
  },
  "description": "Argo\u662f\u4e00\u6b3e\u5f00\u6e90\u7684\u5bb9\u5668\u672c\u673a\u5de5\u4f5c\u6d41\u5f15\u64ce\u3002\n\nArgo CD\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u7684Web UI\u4e2d\u7684\u7cfb\u7edf\u6570\u636e\u66b4\u9732\u4e8e\u672a\u7ecf\u6388\u6743\u7684Control Sphere\u6f0f\u6d1e\u4e2d\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5c06\u6cc4\u6f0f\u7684\u673a\u5bc6\u6570\u636e\u5bfc\u81f4\u6cc4\u6f0f\u5230Web UI\u9519\u8bef\u6d88\u606f\u548c\u65e5\u5fd7\u4e2d\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-fp89-h8pj-8894",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-36102",
  "openTime": "2021-05-20",
  "patchDescription": "Argo\u662f\u4e00\u6b3e\u5f00\u6e90\u7684\u5bb9\u5668\u672c\u673a\u5de5\u4f5c\u6d41\u5f15\u64ce\u3002\r\n\r\nArgo CD\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u7684Web UI\u4e2d\u7684\u7cfb\u7edf\u6570\u636e\u66b4\u9732\u4e8e\u672a\u7ecf\u6388\u6743\u7684Control Sphere\u6f0f\u6d1e\u4e2d\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5c06\u6cc4\u6f0f\u7684\u673a\u5bc6\u6570\u636e\u5bfc\u81f4\u6cc4\u6f0f\u5230Web UI\u9519\u8bef\u6d88\u606f\u548c\u65e5\u5fd7\u4e2d\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Argo\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2021-36102\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Argo Argo CD \u003e=1.8\uff0c\u003c1.8.7",
      "Argo Argo CD \u003e=1.7\uff0c\u003c1.7.14"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-23135",
  "serverity": "\u4e2d",
  "submitTime": "2021-05-14",
  "title": "Argo\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2021-36102\uff09"
}

CVE-2021-23135 (GCVE-0-2021-23135)

Vulnerability from cvelistv5

Published

2021-05-12 22:45

Modified

2024-09-16 19:04

Severity ?

5.9 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

CWE

CWE-497 - Exposure of System Data to an Unauthorized Control Sphere

Summary

Exposure of System Data to an Unauthorized Control Sphere vulnerability in web UI of Argo CD allows attacker to cause leaked secret data into web UI error messages and logs. This issue affects Argo CD 1.8 versions prior to 1.8.7; 1.7 versions prior to 1.7.14.

References

▼	URL	Tags
	https://github.com/argoproj/argo-cd/security/advisories/GHSA-fp89-h8pj-8894	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Argo CD	Argo CD	Version: 1.8 < 1.8.7 Version: 1.7 < 1.7.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:58:26.360Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-fp89-h8pj-8894"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Argo CD",
          "vendor": "Argo CD",
          "versions": [
            {
              "lessThan": "1.8.7",
              "status": "affected",
              "version": "1.8",
              "versionType": "custom"
            },
            {
              "lessThan": "1.7.14",
              "status": "affected",
              "version": "1.7",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Ezekiel Keator of Palo Alto Networks"
        },
        {
          "lang": "en",
          "value": "Kevin Huang of Palo Alto Networks"
        }
      ],
      "datePublic": "2021-03-15T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Exposure of System Data to an Unauthorized Control Sphere vulnerability in web UI of Argo CD allows attacker to cause leaked secret data into web UI error messages and logs. This issue affects Argo CD 1.8 versions prior to 1.8.7; 1.7 versions prior to 1.7.14."
        }
      ],
      "exploits": [
        {
          "lang": "en",
          "value": "When a user with update permissions to an Application was editing a Secret resources\u0027s manifest in the UI with invalid input (e.g. adding a new key with a value not encoded in base64), Argo CD would print the contents of the Secret as an error message in JSON format.\n\nAs this error message is user visible, this was effectively circumventing the redaction feature of Argo CD. Also, as this error message is being logged, the plain-text contents of the Secret ended up in the log files and possibly, in log management systems."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-497",
              "description": "CWE-497 Exposure of System Data to an Unauthorized Control Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-05-12T22:45:13",
        "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
        "shortName": "palo_alto"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-fp89-h8pj-8894"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Patched versions: Argo CD 1.7.14, 1.8.7"
        }
      ],
      "source": {
        "advisory": "GHSA-fp89-h8pj-8894",
        "discovery": "USER"
      },
      "title": "Argo CD leaked secret data into error messages and logs on invalid edits via UI",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@paloaltonetworks.com",
          "DATE_PUBLIC": "2021-03-15T22:31:00.000Z",
          "ID": "CVE-2021-23135",
          "STATE": "PUBLIC",
          "TITLE": "Argo CD leaked secret data into error messages and logs on invalid edits via UI"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Argo CD",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "1.8",
                            "version_value": "1.8.7"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "1.7",
                            "version_value": "1.7.14"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Argo CD"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Ezekiel Keator of Palo Alto Networks"
          },
          {
            "lang": "eng",
            "value": "Kevin Huang of Palo Alto Networks"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Exposure of System Data to an Unauthorized Control Sphere vulnerability in web UI of Argo CD allows attacker to cause leaked secret data into web UI error messages and logs. This issue affects Argo CD 1.8 versions prior to 1.8.7; 1.7 versions prior to 1.7.14."
            }
          ]
        },
        "exploit": [
          {
            "lang": "en",
            "value": "When a user with update permissions to an Application was editing a Secret resources\u0027s manifest in the UI with invalid input (e.g. adding a new key with a value not encoded in base64), Argo CD would print the contents of the Secret as an error message in JSON format.\n\nAs this error message is user visible, this was effectively circumventing the redaction feature of Argo CD. Also, as this error message is being logged, the plain-text contents of the Secret ended up in the log files and possibly, in log management systems."
          }
        ],
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-497 Exposure of System Data to an Unauthorized Control Sphere"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-fp89-h8pj-8894",
              "refsource": "MISC",
              "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-fp89-h8pj-8894"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Patched versions: Argo CD 1.7.14, 1.8.7"
          }
        ],
        "source": {
          "advisory": "GHSA-fp89-h8pj-8894",
          "discovery": "USER"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0",
    "assignerShortName": "palo_alto",
    "cveId": "CVE-2021-23135",
    "datePublished": "2021-05-12T22:45:13.917033Z",
    "dateReserved": "2021-01-06T00:00:00",
    "dateUpdated": "2024-09-16T19:04:08.194Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted