A critical vulnerability has been discovered in Argo CD that allows API tokens with limited permissions to access sensitive repository credentials.
The flaw in the project details API endpoint exposes usernames and passwords, undermining the platform’s security model by granting access to secrets without explicit permissions.
The vulnerability stems from an improper authorization check in the Project API, specifically the /api/v1/projects/{project}/detailed endpoint.
According to the vulnerability details, API tokens with standard project-level permissions, such as those for managing applications, can retrieve all repository credentials associated with that project.
The expected behavior is that any request for sensitive information, like secrets, would require explicit, elevated permissions. However, the actual behavior allows tokens with basic access to fetch this data.
Exploitation
This issue is not confined to project-specific roles. Any token holding project get permissions is considered vulnerable, including those with broader global permissions like p, role/user, projects, get, *, allow. This widens the potential attack surface significantly, as more general-purpose tokens could be used to exploit the flaw.
Exploitation is straightforward. An attacker in possession of a valid API token with the necessary permissions can make a simple authenticated call to the detailed project API endpoint.
The resulting JSON response will incorrectly include an repositories object containing plaintext username and password credentials for the repositories connected to the project. This allows an attacker to easily harvest credentials that can be used to access private source code repositories.
The consequences of this vulnerability are severe, as exposed credentials could lead to source code theft, malicious code injection into the CI/CD pipeline, and further compromise of development infrastructure.
The Argo CD development team has addressed the issue and released patches. Administrators are strongly advised to upgrade their instances to one of the following secure versions immediately to mitigate the risk:
- v3.1.2
- v3.0.14
- v2.14.16
- v2.13.9
Upgrading to a patched version will ensure that the API endpoint properly enforces permission checks and prevents the unauthorized disclosure of repository credentials.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
