CVE-2021-23135 in Linux Foundation and Argoproj Products
Published on May 12, 2021

Argo CD leaked secret data into error messages and logs on invalid edits via UI

Exposure of System Data to an Unauthorized Control Sphere vulnerability in web UI of Argo CD allows attacker to cause leaked secret data into web UI error messages and logs. This issue affects Argo CD 1.8 versions prior to 1.8.7; 1.7 versions prior to 1.7.14.

NVD

Vulnerability Analysis

CVE-2021-23135 can be exploited with local system access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:

LOCAL

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

REQUIRED

Scope:

CHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

NONE

Availability Impact:

NONE

Weakness Type

Exposure of Sensitive System Information to an Unauthorized Control Sphere

The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the application does.

Products Associated with CVE-2021-23135

stack.watch emails you whenever new vulnerabilities are published in Linux Foundation Argo Continuous Delivery or Argoproj Argo Cd. Just hit a watch button to start following.

Linux Foundation Argo Continuous Delivery

Argoproj Argo Cd

Affected Versions

Argo CD:

Version 1.8 and below 1.8.7 is affected.
Version 1.7 and below 1.7.14 is affected.

Exploit Probability

EPSS

0.06%

Percentile

17.94%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.