Product:

Argo_cd

(Argoproj)
Repositories

Unknown:

This might be proprietary software.
#Vulnerabilities 36
Date Id Summary Products Score Patch Annotated
2024-06-06 CVE-2024-37152 Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17. Argo_cd 7.5
2020-04-08 CVE-2020-11576 Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise. Argo_cd 5.3
2020-04-08 CVE-2020-8826 As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication. Argo_cd 7.5
2020-04-08 CVE-2020-8827 As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence. Argo_cd 7.5
2020-04-08 CVE-2020-8828 As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere. Argo_cd 8.8
2020-04-09 CVE-2018-21034 In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git. Argo_cd 6.5