169 matches found
Insecure Default Initialization of Resource
As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be ke...
Important: Red Hat Security Advisory: Red Hat OpenShift GitOps security update
An update is now available for Red Hat OpenShift GitOps 1.1. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE lin...
CVE-2021-3557
A flaw was found in argocd. Any unprivileged user is able to deploy argocd in their namespace and with the created ServiceAccount argocd-argocd-server, the unprivileged user is able to read all resources of the cluster including all secrets which might enable privilege escalations. The highest...
Red Hat OpenShift GitOps 授权问题漏洞
Red Hat OpenShift is a Platform-as-a-Service PaaS cloud computing platform from Red Hat, Inc. that supports building, testing, deploying and running applications. Red Hat OpenShift GitOps suffers from an authorization issue vulnerability that stems from argocd: ServiceAccount argocd-argocd-server...
Information Disclosure
github.com/argoproj/argo-cd is vulnerable to information disclosure. User credentials are printed an error message in JSON format when a user with update permissions to an Application edits the manifest of a Secret resource in the UI with invalid input...
Cross site scripting
The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting XSS the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user...
Argo Authorization Issues Vulnerability
Argo is an open source container native workflow engine. Argo suffers from an authorization issue vulnerability that stems from the program setting the default administrator password to the argocd-server container group name. An attacker can exploit this vulnerability to gain administrator...
CVE-2020-8828
As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be ke...
CVE-2020-8828
CVE-2020-8828 affects Argo CD (v1.5.0 and earlier) where the default admin password is set to the argocd-server pod name. This creates privilege-escalation risk for insiders with cluster or log access due to Argo’s privileged roles. The impact is described as a privileged-escape scenario for atta...