CVE-2024-37152

2024-06-0616:15:13

Google

osv.dev

argo cd

vulnerability

unauthorized access

sensitive settings

authentication

fixed

2.11.3

2.10.12

2.9.17

kubernetes

continuous delivery

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

5.2

Confidence

High

EPSS

0.206

Percentile

96.5%

JSON

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.