Описание
Unauthenticated Access to sensitive settings in Argo CD
Summary
The CVE allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication.
Details
Unauthenticated Access:
Endpoint: /api/v1/settings
Description: This endpoint is accessible without any form of authentication as expected. All sensitive settings are hidden except passwordPattern.
Patches A patch for this vulnerability has been released in the following Argo CD versions:
v2.11.3 v2.10.12 v2.9.17
Impact
Unauthenticated Access:
- Type: Unauthorized Information Disclosure.
- Affected Parties: All users and administrators of the Argo CD instance.
- Potential Risks: Exposure of sensitive configuration data, including but not limited to deployment settings, security configurations, and internal network information.
Пакеты
github.com/argoproj/argo-cd/v2/server
>= 2.9.3, < 2.9.17
2.9.17
github.com/argoproj/argo-cd/v2/server
>= 2.10.0, < 2.10.12
2.10.12
github.com/argoproj/argo-cd/v2/server
>= 2.11.0, < 2.11.3
2.11.3
EPSS
5.3 Medium
CVSS3
CVE ID
Дефекты
Связанные уязвимости
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
Уязвимость декларативного инструмента непрерывной доставки GitOps для Kubernetes Argo CD, связанная с недостатками процедуры аутентификации, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
EPSS
5.3 Medium
CVSS3