Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN584
_____________________________________________________________________

DATE                : 05/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Argo CD versions prior to 3.1.2, 
                               3.0.14, 2.14.16, 2.13.9.

=====================================================================
https://github.com/argoproj/argo-cd/security/advisories/GHSA-786q-9hcg-v9ff
_____________________________________________________________________

Project API Token Exposes Repository Credentials
Critical
crenshaw-dev published GHSA-786q-9hcg-v9ff Sep 4, 2025

Package
github.com/argoproj/argo-cd (Go)

Affected versions
>= 2.13.0

Patched versions
v3.1.2, v3.0.14, v2.14.16, v2.13.9


Description

Summary

Argo CD API tokens with project-level permissions are able to retrieve
sensitive repository credentials (usernames, passwords) through the
project details API endpoint, even when the token only has standard
application management permissions and no explicit access to secrets.

Component: Project API (/api/v1/projects/{project}/detailed)


Vulnerability Details

Expected Behavior

API tokens should require explicit permission to access sensitive
credential information. Standard project permissions should not grant
access to repository secrets.


Actual Behavior

API tokens with basic project permissions can retrieve all repository
credentials associated with a project through the detailed project
API endpoint.

Note: This vulnerability does not only affect project-level
permissions. Any token with project get permissions is also
vulnerable, including global permissions such as:
p, role/user, projects, get, *, allow


Steps to Reproduce

    Create an API token with the following project-level
permissions:

p, proj:myProject:project-automation-role, applications, sync, myProject/*, allow
p, proj:myProject:project-automation-role, applications, action/argoproj.io/Rollout/*, myProject/*, allow
p, proj:myProject:project-automation-role, applications, get, myProject/*, allow

    Call the project details API:

bashcurl -sH "Authorization: Bearer $ARGOCD_API_TOKEN" \
  "https://argocd.example.com/api/v1/projects/myProject/detailed"

    Observe that the response includes sensitive repository
credentials:

{
  "repositories": [
    {
      "username": "<REDACTED>",
      "password": "<REDACTED>",
      "type": "helm",
      "name": "test-helm-repo",
      "project": "myProject"
    }
  ]
}


Patches

    v3.1.2
    v3.0.14
    v2.14.16
    v2.13.9


Credits to @ashishgoyal111 for helping identify this issue.


Severity
Critical
10.0/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE ID
CVE-2025-55190

Weaknesses
No CWEs

Credits

    @ntammineni5 ntammineni5 Reporter
    @34fathombelow 34fathombelow Other
    @alexmt alexmt Remediation developer
    @crenshaw-dev crenshaw-dev Coordinator
    @svghadi svghadi Coordinator


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================