Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit a0470b16b475 · 2025-12-20T03:11:31.000Z
GHSA-vw7g-3cc7-7rmh GHSA-274v-mgcv-cm8j
diff --git a/advisories/github-reviewed/2024/08/GHSA-vw7g-3cc7-7rmh/GHSA-vw7g-3cc7-7rmh.json b/advisories/github-reviewed/2024/08/GHSA-vw7g-3cc7-7rmh/GHSA-vw7g-3cc7-7rmh.json
@@ -1,18 +1,14 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vw7g-3cc7-7rmh",
-  "modified": "2024-08-07T19:37:15Z",
+  "modified": "2025-12-20T03:08:16Z",
   "published": "2024-08-01T18:32:50Z",
   "aliases": [
     "CVE-2024-41265"
   ],
   "summary": "cortex establishes TLS connections with `InsecureSkipVerify` set to `true`",
   "details": "A TLS certificate verification issue discovered in cortex v0.42.1 allows attackers to obtain sensitive information via the makeOperatorRequest function.",
   "severity": [
-    {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
-    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
@@ -48,6 +44,10 @@
       "type": "WEB",
       "url": "https://gist.github.com/nyxfqq/1a8237f3f9cf793c6433f08b17d1593c"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-vw7g-3cc7-7rmh"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/cortexproject/cortex"
diff --git a/advisories/github-reviewed/2025/01/GHSA-274v-mgcv-cm8j/GHSA-274v-mgcv-cm8j.json b/advisories/github-reviewed/2025/01/GHSA-274v-mgcv-cm8j/GHSA-274v-mgcv-cm8j.json
@@ -1,11 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-274v-mgcv-cm8j",
-  "modified": "2025-06-17T14:42:46Z",
+  "modified": "2025-12-20T03:10:36Z",
   "published": "2025-01-30T17:51:33Z",
   "aliases": [],
   "summary": "Argo CD GitOps Engine does not scrub secret values from patch errors",
-  "details": "### Impact\nA vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. \n\nThe vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.\n\n### Patches\nA patch for this vulnerability is available in the following Argo CD versions:\n- v2.13.4\n- v2.12.10\n- v2.11.13\n\n### Workarounds\nThere is no workaround other than upgrading.\n\n### References\nFixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca",
+  "details": "### Impact\nA vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. \n\nThe vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.\n\n### Patches\nA patch for this vulnerability is available in the following Argo CD versions:\n- v2.13.4\n- v2.12.10\n- v2.11.13\n\n### Workarounds\nThere is no workaround other than upgrading.\n\n### Resources\nFixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca",
   "severity": [
     {
       "type": "CVSS_V3",

Original file line number	Diff line number	Diff line change
`@@ -1,11 +1,11 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-274v-mgcv-cm8j",`
`4`		`- "modified": "2025-06-17T14:42:46Z",`
	`4`	`+ "modified": "2025-12-20T03:10:36Z",`
`5`	`5`	`"published": "2025-01-30T17:51:33Z",`
`6`	`6`	`"aliases": [],`
`7`	`7`	`"summary": "Argo CD GitOps Engine does not scrub secret values from patch errors",`
`8`		- "details": "### Impact\nA vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. \n\nThe vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.\n\n### Patches\nA patch for this vulnerability is available in the following Argo CD versions:\n- v2.13.4\n- v2.12.10\n- v2.11.13\n\n### Workarounds\nThere is no workaround other than upgrading.\n\n### References\nFixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca",
	`8`	+ "details": "### Impact\nA vulnerability was discovered in Argo CD that exposed secret values in error messages and the diff view when an invalid Kubernetes Secret resource was synced from a repository. \n\nThe vulnerability assumes the user has write access to the repository and can exploit it, either intentionally or unintentionally, by committing an invalid Secret to repository and triggering a Sync. Once exploited, any user with read access to Argo CD can view the exposed secret data.\n\n### Patches\nA patch for this vulnerability is available in the following Argo CD versions:\n- v2.13.4\n- v2.12.10\n- v2.11.13\n\n### Workarounds\nThere is no workaround other than upgrading.\n\n### Resources\nFixed with commit https://github.com/argoproj/argo-cd/commit/6f5537bdf15ddbaa0f27a1a678632ff0743e4107 & https://github.com/argoproj/gitops-engine/commit/7e21b91e9d0f64104c8a661f3f390c5e6d73ddca",
`9`	`9`	`"severity": [`
`10`	`10`	`{`
`11`	`11`	`"type": "CVSS_V3",`