Argo CD: Project API Token Exposes Repository Credentials

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

信息暴露

Argo CD 信息泄露漏洞

Argo CD是Argo开源的一个用于Kubernetes的声明性GitOps连续交付工具。 Argo CD存在信息泄露漏洞，该漏洞源于项目级权限API令牌可检索敏感仓库凭据。以下版本受到影响：2.13.0至2.13.8版本、2.14.0至2.14.15版本、3.0.0至3.0.12版本和3.1.0-rc1至3.1.1版本。

N/A

N/A