Lucene search

GitHub Advisory DatabaseGHSA-87P9-X75H-P4J2

HistoryJun 06, 2024 - 9:27 p.m.

Unauthenticated Access to sensitive settings in Argo CD

2024-06-0621:27:43

CWE-22

CWE-287

CWE-306

CWE-384

GitHub Advisory Database

github.com

cve

unauthorized access

sensitive settings

argo cd

information disclosure

patch

vulnerability

version

configuration data

security configurations

network information

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

22.0%

JSON

Summary

The CVE allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication.

Details

Unauthenticated Access:

Endpoint: /api/v1/settings

Description: This endpoint is accessible without any form of authentication as expected. All sensitive settings are hidden except passwordPattern.

Patches
A patch for this vulnerability has been released in the following Argo CD versions:

v2.11.3
v2.10.12
v2.9.17

Impact

Unauthenticated Access:

Type: Unauthorized Information Disclosure.
Affected Parties: All users and administrators of the Argo CD instance.
Potential Risks: Exposure of sensitive configuration data, including but not limited to deployment settings, security configurations, and internal network information.

Affected configurations

Vulners

Node

github.com\/argoproj\/argocd\/v2\/serverRange<2.11.3

github.com\/argoproj\/argocd\/v2\/serverRange<2.10.12

github.com\/argoproj\/argocd\/v2\/serverRange<2.9.17

CPENameOperatorVersion
github.com/argoproj/argo-cd/v2/serverlt2.11.3
github.com/argoproj/argo-cd/v2/serverlt2.10.12
github.com/argoproj/argo-cd/v2/serverlt2.9.17