Miggo Logo

CVE-2018-21034: Argo Exposure of Sensitive Information

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.74429%
Published
5/24/2022
Updated
10/5/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/argoproj/argo-cdgo< 1.5.0-rc11.5.0-rc1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the GetManifests function in application.go returning unredacted Secret manifests. The patch adds a loop that specifically processes Secret manifests using diff.HideSecretData before returning them. The test/e2e/app_management_test.go changes verify that secrets are now redacted in GetManifests responses. Prior to the fix, this function lacked the critical secret redaction logic, making it the clear entry point for sensitive data exposure.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *r*o v*rsions prior to v*.*.*-r**, it w*s possi*l* *or *ut**nti**t** *r*o us*rs to su*mit *PI **lls to r*tri*v* s**r*ts *n* ot**r m*ni**sts w*i** w*r* stor** wit*in *it.

Reasoning

T** vuln*r**ility st*ms *rom t** **tM*ni**sts *un*tion in *ppli**tion.*o r*turnin* unr****t** S**r*t m*ni**sts. T** p*t** ***s * loop t**t sp**i*i**lly pro**ss*s S**r*t m*ni**sts usin* *i**.*i**S**r*t**t* ***or* r*turnin* t**m. T** t*st/***/*pp_m*n**