Unauthenticated Access to sensitive settings in Argo CD

2024-06-0621:27:43

Google

osv.dev

cve

authentication

sensitive data

patch

vulnerability

argo cd

information disclosure

security configuration

network information

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.206

Percentile

96.5%

Summary

The CVE allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication.

Description: This endpoint is accessible without any form of authentication as expected. All sensitive settings are hidden except passwordPattern.

Patches
A patch for this vulnerability has been released in the following Argo CD versions:

v2.11.3
v2.10.12
v2.9.17

Type: Unauthorized Information Disclosure.
Affected Parties: All users and administrators of the Argo CD instance.
Potential Risks: Exposure of sensitive configuration data, including but not limited to deployment settings, security configurations, and internal network information.