CVE-2021-23135

CVSS v3 5.9 MEDIUM
CVSS v2.0 2.1 LOW

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.5 / Impact : 4.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

E

xposure of System Data to an Unauthorized Control Sphere vulnerability in web UI of Argo CD allows attacker to cause leaked secret data into web UI error messages and logs. This issue affects Argo CD 1.8 versions prior to 1.8.7; 1.7 versions prior to 1.7.14.

References

Link	Resource
https://github.com/argoproj/argo-cd/security/advisories/GHSA-fp89-h8pj-8894	Third Party Advisory
https://github.com/argoproj/argo-cd/security/advisories/GHSA-fp89-h8pj-8894	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:argoproj:argo_cd::::::::
	cpe:2.3:a:argoproj:argo_cd::::::::

History

21 Nov 2024, 05:51

Type	Values Removed	Values Added
References	~~() https://github.com/argoproj/argo-cd/security/advisories/GHSA-fp89-h8pj-8894 - Third Party Advisory~~	() https://github.com/argoproj/argo-cd/security/advisories/GHSA-fp89-h8pj-8894 - Third Party Advisory
CVSS	v2 : ~~2.1~~ v3 : ~~5.5~~	v2 : 2.1 v3 : 5.9

07 Aug 2024, 15:43

Type	Values Removed	Values Added
First Time		Argoproj argo Cd Argoproj
CPE	cpe:2.3:a:linuxfoundation:argo_continuous_delivery::::::kubernetes::*	cpe:2.3:a:argoproj:argo_cd::::::::

Information

Published : 2021-05-12 23:15

Updated : 2024-11-21 05:51

NVD link : CVE-2021-23135

Mitre link : CVE-2021-23135

CVE.ORG link : CVE-2021-23135

JSON object : View

Products Affected

argo_cd

CWE

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

CWE-209

Generation of Error Message Containing Sensitive Information

{"id": "CVE-2021-23135", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "[email protected]", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 1.5}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2021-05-12T23:15:07.757", "references": [{"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-fp89-h8pj-8894", "tags": ["Third Party Advisory"], "source": "[email protected]"}, {"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-fp89-h8pj-8894", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-497"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-209"}]}], "descriptions": [{"lang": "en", "value": "Exposure of System Data to an Unauthorized Control Sphere vulnerability in web UI of Argo CD allows attacker to cause leaked secret data into web UI error messages and logs. This issue affects Argo CD 1.8 versions prior to 1.8.7; 1.7 versions prior to 1.7.14."}, {"lang": "es", "value": "Una exposici\u00f3n de los Datos del Sistema en una vulnerabilidad de Esfera de Control No Autorizada en la Interfaz de Usuario web de Argo CD permite a un atacante causar una filtraci\u00f3n de datos secretos en unos registros y mensajes de error de la Interfaz de Usuario web. Este problema afecta a Argo CD versiones 1.8 anteriores a 1.8.7; versiones 1.7 anteriores a 1.7.14"}], "lastModified": "2024-11-21T05:51:16.410", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "40A5750C-C912-4356-8D48-ADD9C86F2DB0", "versionEndExcluding": "1.7.14", "versionStartIncluding": "1.7.0"}, {"criteria": "cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3E438055-0F76-49F1-84CF-D33F82E45724", "versionEndExcluding": "1.8.7", "versionStartIncluding": "1.8.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}