Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:47160
HistoryMay 24, 2024 - 6:38 a.m.

Missing Default Authentication

2024-05-2406:38:22
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
2
argo cd
missing default authentication
redis vulnerability
information leaks
unprivileged pod

9 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.0%

Argo CD is vulnerable to Missing Default Authentication. The vulnerability is due to the default lack of password protection in redis, allowing attackers with access to an unprivileged pod to connect to the Redis server to gain read/write access, modify the “mfst” (manifest) key to execute deployments via ArgoCD, and edit the “app|resources-tree” key to cause information leaks, as the cache values are neither signed nor validated.

9 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

7.1 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.0%