CVE-2020-8826

As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication...

Authentication flaw

As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication...

Default credentials

As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be ke...

Authentication flaw

As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence...

CVE-2020-8827

Argo CD is affected by a rate-limiting/brute-force vulnerability built on a weak, cache-based login attempt tracker. Prior to versions 2.8.13, 2.9.9, and 2.10.4, attackers can overflow the per-user login-attempt cache, bypass rate limits, and escalate brute-force attempts against the default admi...

CVE-2020-8827

As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence...

CVE-2020-8826

CVE-2020-8826 relates to the Argo CD web interface authentication, where as of v1.5.0, issued authentication tokens were immutable and did not expire. This creates a potential session-related risk (e.g., token reuse) if a token is compromised, since tokens cannot be refreshed or forcefully re-aut...

CVE-2020-8826

As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication...

CVE-2020-11576

Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid non-SSO accounts because /api/v1/session returned 401 for an existing username and 404 otherwise...

CVE-2020-11576

Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid non-SSO accounts because /api/v1/session returned 401 for an existing username and 404 otherwise...

Code injection

Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid non-SSO accounts because /api/v1/session returned 401 for an existing username and 404 otherwise...

CVE-2020-11576

Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid non-SSO accounts because /api/v1/session returned 401 for an existing username and 404 otherwise...

CVE-2020-11576

CVE-2020-11576 affects Argo CD (v1.5.0) with a user-enumeration flaw in the /api/v1/session endpoint, which returned 401 for existing usernames and 404 for non-existing ones. This behavior allowed enumeration of valid (non-SSO) usernames. The issue is fixed in v1.5.1; upgrading to v1.5.1 or later...

PT-2020-12695 · Intuit · Argo

Name of the Vulnerable Software and Affected Versions: Argo version v1.5.0 Description: The issue allowed attackers to determine the usernames of valid non-SSO accounts. This was possible because the /api/v1/session endpoint returned a 401 status code for an existing username and a 404 status cod...

PT-2020-20309 · Intuit · Argo

Name of the Vulnerable Software and Affected Versions: Argo versions 1.5.0 and later Description: The Argo web interface authentication system issued immutable tokens as of version 1.5.0. These authentication tokens, once issued, were usable forever without expiration, and there was no refresh or...

PT-2020-20311 · Intuit · Argo Cd

Name of the Vulnerable Software and Affected Versions: Argo CD versions 1.5.0 through 1.8.0 Description: The default admin password is set to the argocd-server pod name, which could be abused for privilege escalation by insiders with access to the cluster or logs, as Argo has privileged roles. A...

argo-surgut.ru Cross Site Scripting vulnerability

Open Bug Bounty ID: OBB-1116148 Security Researcher geeknik Helped patch 8710 vulnerabilities Received 8 Coordinated Disclosure badges Received 20 recommendations , a holder of 8 badges for responsible and coordinated disclosure, found a security vulnerability affecting argo-surgut.ru website and...

argo-ds.ru Cross Site Scripting vulnerability

Open Bug Bounty ID: OBB-1075668 Following coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website...

argo-konzerte.de XSS vulnerability

Open Bug Bounty ID: OBB-692841 Description| Value ---|--- Affected Website:| argo-konzerte.de Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| hidden until disclosure Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| hidden...

argo-contar.com XSS vulnerability

Open Bug Bounty ID: OBB-680725 Description| Value ---|--- Affected Website:| argo-contar.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...