Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Argo_cd
(Argoproj)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 36 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2024-06-06 | CVE-2024-37152 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17. | Argo_cd | 7.5 | ||
| 2020-04-08 | CVE-2020-11576 | Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise. | Argo_cd | 5.3 | ||
| 2020-04-08 | CVE-2020-8826 | As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication. | Argo_cd | 7.5 | ||
| 2020-04-08 | CVE-2020-8827 | As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence. | Argo_cd | 7.5 | ||
| 2020-04-08 | CVE-2020-8828 | As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere. | Argo_cd | 8.8 | ||
| 2020-04-09 | CVE-2018-21034 | In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git. | Argo_cd | 6.5 | ||
| 2021-02-09 | CVE-2021-26921 | In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled. | Argo_cd | 6.5 | ||
| 2021-03-03 | CVE-2021-23347 | The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user. | Argo_cd | 4.8 | ||
| 2021-03-15 | CVE-2021-26923 | An issue was discovered in Argo CD before 1.8.4. Accessing the endpoint /api/version leaks internal information for the system, and this endpoint is not protected with authentication. | Argo_cd | 7.5 | ||
| 2021-03-15 | CVE-2021-26924 | An issue was discovered in Argo CD before 1.8.4. Browser XSS protection is not activated due to the missing XSS protection header. | Argo_cd | 6.1 |