Unauthorized Access to Sensitive Settings in Argo CD
CVE-2024-37152

7.5HIGH

Key Information:

Vendor: Argoproj
Status: Argo-cd
Vendor: CVE Published:; 6 June 2024

Summary

Argo CD, a GitOps continuous delivery tool for Kubernetes, has been identified with a vulnerability that permits unauthorized access to sensitive configuration settings exposed at the /api/v1/settings endpoint. This significant flaw allows malicious actors to gain insights into sensitive infrastructure information, which could compromise the security of the deployment. Notably, while most sensitive settings are protected, the passwordPattern remains accessible without authentication. Users of Argo CD version 2.11.2 and earlier, as well as version 2.10.11 and below, are urged to upgrade to the patched versions, specifically 2.11.3, 2.10.12, and 2.9.17, to mitigate this risk. For more technical details, please refer to the advisory on GitHub.

Affected Version(s)

argo-cd >= 2.9.3, < 2.9.17 < 2.9.3, 2.9.17

argo-cd >= 2.10.0, < 2.10.12 < 2.10.0, 2.10.12

argo-cd >= 2.11.0, < 2.11.3 < 2.11.0, 2.11.3

References

https://github.com/argoproj/argo-cd/security/advisories/G...

x_refsource_CONFIRM

https://github.com/argoproj/argo-cd/commit/256d90178b11b0...

x_refsource_MISC

EPSS Score

24% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 6, 2024
Vulnerability Reserved
Jun 3, 2024