What is CVE-2021-23135?

CVE-2021-23135 is a vulnerability in the web UI of Argo CD that allows an attacker to leak secret data into web UI error messages and logs.

What is the severity of CVE-2021-23135?

The severity of CVE-2021-23135 is medium, with a severity value of 5.5.

Which versions of Argo CD are affected by CVE-2021-23135?

Argo CD 1.8 versions prior to 1.8.7 and 1.7 versions prior to 1.7.14 are affected by CVE-2021-23135.

How can an attacker exploit CVE-2021-23135?

An attacker can exploit CVE-2021-23135 by causing leaked secret data into web UI error messages and logs.

How can I fix CVE-2021-23135?

To fix CVE-2021-23135, update Argo CD to version 1.8.7 for 1.8.x versions or version 1.7.14 for 1.7.x versions.

Vulnerability/
CVE-2021-23135

medium

5.9

CWE

209 497

12/5/2021

16/9/2024

CVE-2021-23135: Argo CD leaked secret data into error messages and logs on invalid edits via UI

First published: Wed May 12 2021(Updated: )

Exposure of System Data to an Unauthorized Control Sphere vulnerability in web UI of Argo CD allows attacker to cause leaked secret data into web UI error messages and logs. This issue affects Argo CD 1.8 versions prior to 1.8.7; 1.7 versions prior to 1.7.14.

Credit: psirt@paloaltonetworks.com psirt@paloaltonetworks.com

Affected Software	Affected Version	How to fix
Linuxfoundation Argo Continuous Delivery	>=1.7.0<1.7.14
Linuxfoundation Argo Continuous Delivery	>=1.8.0<1.8.7
Argoproj Argo Cd	>=1.7.0<1.7.14
Argoproj Argo Cd	>=1.8.0<1.8.7

Remedy

Patched versions: Argo CD 1.7.14, 1.8.7

Never miss a vulnerability like this again

Reference Links

https://github.com/argoproj/argo-cd/security/advisories/GHSA-fp89-h8pj-8894

Frequently Asked Questions

What is CVE-2021-23135?
CVE-2021-23135 is a vulnerability in the web UI of Argo CD that allows an attacker to leak secret data into web UI error messages and logs.
What is the severity of CVE-2021-23135?
The severity of CVE-2021-23135 is medium, with a severity value of 5.5.
Which versions of Argo CD are affected by CVE-2021-23135?
Argo CD 1.8 versions prior to 1.8.7 and 1.7 versions prior to 1.7.14 are affected by CVE-2021-23135.
How can an attacker exploit CVE-2021-23135?
An attacker can exploit CVE-2021-23135 by causing leaked secret data into web UI error messages and logs.
How can I fix CVE-2021-23135?
To fix CVE-2021-23135, update Argo CD to version 1.8.7 for 1.8.x versions or version 1.7.14 for 1.7.x versions.

collector/nvd-index
agent/weakness
agent/type
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/author
agent/references
agent/softwarecombine
agent/description
collector/mitre-cve
source/MITRE
agent/remedy
agent/title
agent/severity
agent/last-modified-date
agent/event
agent/first-publish-date
agent/tags
vendor/linuxfoundation
canonical/linuxfoundation argo continuous delivery
version/linuxfoundation argo continuous delivery/1.7.0
version/linuxfoundation argo continuous delivery/1.8.0
vendor/argoproj
canonical/argoproj argo cd
version/argoproj argo cd/1.7.0
version/argoproj argo cd/1.8.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.