350 matches found
CVE-2024-36106
A flaw was found in Argo-CD. Error messages in Argo-CD may contain sensitive information, such as clusters and project names, which allows authenticated malicious users to enumerate possible targets...
BIT-ARGO-CD-2024-37152 Unauthenticated Access to sensitive settings in Argo CD
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in...
CVE-2024-37152 Unauthenticated Access to sensitive settings in Argo CD
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in...
CVE-2024-37152
Argo CD exposes sensitive settings via /api/v1/settings without authentication, enabling unauthenticated access to items such as passwordPattern. The issue is fixed in versions 2.11.3, 2.10.12, and 2.9.17. Affected product: Argo CD (Kubernetes GitOps tool). Root cause described across sources as ...
CVE-2024-37152 Unauthenticated Access to sensitive settings in Argo CD
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in...
CVE-2024-36106
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. Thi...
CVE-2024-36106 Argo CD allows authenticated users to enumerate clusters by name
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. Thi...
Argo CD Security Vulnerability
Argo CD is a software application. A declarative GitOps continuous delivery tool for Kubernetes. It continuously monitors running applications and compares the current live state with the desired target state e.g. configuration in the Git repository, automatically synchronizing and deploying...
Important: Red Hat Security Advisory: Errata Advisory for Red Hat OpenShift GitOps v1.11.5 security update
An update is now available for Red Hat OpenShift GitOps v1.11.5 to address the CVE-2024-31989, Unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Red Hat Product Security has rated this update as having a security impact of Important. A...
Important: Red Hat Security Advisory: Errata Advisory for Red Hat OpenShift GitOps v1.12.3 security update
An update is now available for Red Hat OpenShift GitOps v1.12.3 to address the CVE-2024-31989, Unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Red Hat Product Security has rated this update as having a security impact of Important. A...
BIT-ARGO-CD-2024-32476 Denial of Service via malicious jqPathExpressions in ignoreDifferences
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service DoS vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in versions 2.10.7, 2.9.12 and 2.8.16...
CVE-2024-31989
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS...
CVE-2024-31989 ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS...
Argo CD 安全漏洞
Argo CD is a software application. A declarative GitOps continuous delivery tool for Kubernetes. It continuously monitors running applications and compares the current live state with the desired target state e.g., configuration in a Git repository, automatically synchronizing and deploying...
TotalCloud Container Security Best Practices
Qualys Container Security CS, an integral part of TotalCloud 2.0, provides a comprehensive view of the security posture of containerized applications. Operationalizing a new technology tool in an enterprise often presents its own challenges. This blog seeks to help the operations team familiarize...
CVE-2024-31216
The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to versi...
CVE-2024-31216
The CVE-2024-31216 issue affects the FluxCD source-controller. When configured to use an Azure SAS token for Azure Blob Storage, the SAS token could be logged with the Azure URL during connection errors, enabling token-based access to storage if logs are accessible. This was fixed in source-contr...
CVE-2024-31216 source-controller leaks theAzure Storage SAS token into logs on connection errors
The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to versi...
CVE-2024-31216 source-controller leaks theAzure Storage SAS token into logs on connection errors
The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to versi...
CVE-2024-31216 source-controller leaks theAzure Storage SAS token into logs on connection errors
The source-controller is a Kubernetes operator, specialised in artifacts acquisition from external sources such as Git, OCI, Helm repositories and S3-compatible buckets. The source-controller implements the source.toolkit.fluxcd.io API and is a core component of the GitOps toolkit. Prior to versi...