SCA: security update for github.com/argoproj/argo-cd/v2 (GHSA-mv6w-j4xc-qpfw)

medium Tenable Self-Hosted Container Security Plugin ID 417136

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of Argo CD starting
with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error
messages. These error messages are visible to the user, and they are logged. The error message is visible
when a user attempts to create or update an Application via the Argo CD API (and therefor the UI or CLI).
The user must have `applications, create` or `applications, update` RBAC access to reach the code which
may produce the error. The user is not guaranteed to be able to trigger the error message. They may
attempt to spam the API with requests to trigger a rate limit error from the upstream repository. If the
user has `repositories, update` access, they may edit an existing repository to introduce a URL typo or
otherwise force an error message. But if they have that level of access, they are probably intended to
have access to the credentials anyway. A patch for this vulnerability has been released in version 2.6.1.
Users are advised to upgrade. There are no known workarounds for this vulnerability. (CVE-2023-25163)

See Also

https://github.com/advisories/GHSA-mv6w-j4xc-qpfw

Plugin Details

Severity: Medium

ID: 417136

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2023-25163

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 2/8/2023

Vulnerability Publication Date: 2/8/2023

Reference Information

CVE: CVE-2023-25163

cwe: CWE-532