CVE-2025-55190 Argo CD: Project API Token Exposes Repository Credentials

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials usernames, passwor...

GHSA-786Q-9HCG-V9FF Argo CD's Project API Token Exposes Repository Credentials

Summary Argo CD API tokens with project-level permissions are able to retrieve sensitive repository credentials usernames, passwords through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. Component:...

PT-2025-36094

Name of the Vulnerable Software and Affected Versions Argo CD versions 2.13.0 through 2.13.8 Argo CD versions 2.14.0 through 2.14.15 Argo CD versions 3.0.0 through 3.0.12 Argo CD version 3.1.0-rc1 through 3.1.1 Description Argo CD, a declarative GitOps continuous delivery tool for Kubernetes,...

Argo CD 信息泄露漏洞

Argo CD is an Argo open source declarative GitOps continuous delivery tool for Kubernetes. An information disclosure vulnerability exists in Argo CD that stems from a project-level permission API token that can retrieve sensitive repository credentials. The following versions are affected: versio...

SUSE CVE-2021-32690

Helm is a tool for managing Charts packages of pre-configured Kubernetes resources. In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. Thi...

Argo CD leaks repository credentials in user-facing error messages and in logs

Impact All versions of Argo CD starting with v2.6.0-rc1 have an output sanitization bug which leaks repository access credentials in error messages. These error messages are visible to the user, and they are logged. The error message is visible when a user attempts to create or update an...

Rancher Labs Rancher Information Disclosure Vulnerability

Rancher Labs Rancher is an open source, enterprise-class container management platform from Rancher Labs, U.S. Rancher Labs Rancher is vulnerable to an information disclosure vulnerability that stems from exposing repository credentials to an external third-party source, which could be exploited ...

Exposure of repository credentials to external third-party sources in Rancher

Impact This issue only happens when the user configures access credentials to a private repository in Rancher inside Apps & Marketplace Repositories. It affects Rancher versions 2.5.0 up to and including 2.5.11 and from 2.6.0 up to and including 2.6.2. An insufficient check of the same-origin...

Rancher Labs Rancher 安全漏洞

Rancher Labs Rancher is an open source, enterprise-class container management platform from Rancher Labs, U.S. Rancher Labs Rancher is vulnerable to an information disclosure vulnerability that stems from exposing repository credentials to an external third-party source, which could be exploited ...

Repository credentials passed to alternate domain

...

GHSA-7JR6-PRV4-5WF5 Duplicate Advisory: Helm passes repository credentials to alternate domain

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-56hp-xqp3-w2jf. This link is maintained to preserve external references. Original Description Helm is a tool for managing Charts packages of pre-configured Kubernetes resources. In versions of helm prior to 3.6....

GHSA-56HP-XQP3-W2JF Helm passes repository credentials to alternate domain

While working on the Helm source, a Helm core maintainer discovered a situation where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. Impact The index.yaml within a Helm chart repository contains a...

CVE-2021-32690 Repository credentials passed to alternate domain

Helm is a tool for managing Charts packages of pre-configured Kubernetes resources. In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. Thi...

CVE-2011-3634

methods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository credentials via unspecified vectors...

Design/Logic Flaw

methods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository credentials via unspecified vectors...

CVE-2011-3634

methods/https.cc in apt before 0.8.11 accepts connections when the certificate host name fails validation and Verify-Host is enabled, which allows man-in-the-middle attackers to obtain repository credentials via unspecified vectors...

CVE-2012-0950

The Apport hook DistUpgradeApport.py in Update Manager, as used by Ubuntu 12.04 LTS, 11.10, and 11.04, uploads the /var/log/dist-upgrade directory when reporting bugs to Launchpad, which allows remote attackers to read repository credentials by viewing a public bug report. NOTE: this vulnerabilit...

CVE-2012-0950

The CVE-2012-0950 vulnerability concerns the Apport hook (DistUpgradeApport.py) in Ubuntu Update Manager: when reporting bugs to Launchpad it uploads /var/log/dist-upgrade, potentially exposing repository credentials in a public bug report. This exists because of an incomplete fix for CVE-2012-09...

CVE-2012-0948

DistUpgrade/DistUpgradeMain.py in Update Manager, as used by Ubuntu 12.04 LTS, 11.10, and 11.04, uses weak permissions for 1 apt-clonesystemstate.tar.gz and 2 systemstate.tar.gz, which allows local users to obtain repository credentials...

Default credentials

DistUpgrade/DistUpgradeMain.py in Update Manager, as used by Ubuntu 12.04 LTS, 11.10, and 11.04, uses weak permissions for 1 apt-clonesystemstate.tar.gz and 2 systemstate.tar.gz, which allows local users to obtain repository credentials...