7.7 CVE-2026-43824
In Argo CD 3.2.0 before 3.2.11 and 3.3.0 before 3.3.9, ServerSideDiff allows reading cleartext Kubernetes Secret data.
https://nvd.nist.gov/vuln/detail/CVE-2026-43824
Categories
CWE-212 : Improper Removal of Sensitive Information Before Storage or Transfer
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. Tools are available to analyze documents(such as PDF, Word, etc.) to look for private informationsuch as names, addresses, etc.Clearly specify which information should be regarded as private or sensitive, and require that the product offers functionality that allows the user to cleanse the sensitive information from the resource before it is published or exported to other parties. Use naming conventions and strong types to make it easier to spot when sensitive data is being used. When creating structures, objects, or other complex entities, separate the sensitive and non-sensitive data as much as possible. Avoid errors related to improper resource shutdown or release (CWE-404), which may leave the sensitive data within the resource if it is in an incomplete state. product does not remove EXIF data from images, which can include GPS coordinates Customer relationship management (CRM) product does not strip Exif data from images Cryptography library does not clear heap memory before release Some image editors modify a JPEG image, but the original EXIF thumbnail image is left intact within the JPEG. (Also an interaction error). NAT feature in firewall leaks internal IP addresses in ICMP error messages.
References
134c704f-9b21-4f2e-91b3-4a467353bcc0
cve@mitre.org
AFFECTED (from MITRE)
| Vendor |
Product |
Versions |
| argoproj |
Argo CD |
- 3.2.0 < 3.2.11 [affected]
- 3.3.0 < 3.3.9 [affected]
|
| © 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. |
CPE
| cpe |
start |
end |
| Configuration 1 |
| cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:* |
>= 3.2.0 |
< 3.2.11 |
| cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:* |
>= 3.3.0 |
< 3.3.9 |
REMEDIATION
EXPLOITS
Exploit-db.com
| id |
description |
date |
|
| No known exploits |
POC Github
Other Nist (github, ...)
CAPEC
Common Attack Pattern Enumerations and Classifications
| id |
description |
severity |
| 168 |
Windows ::DATA Alternate Data Stream
An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple "files" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams. |
Medium |
Cybersecurity needs ?
Strengthen software security from the outset with our DevSecOps expertise
Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.
Discover this offer
