Описание
Observable Discrepancy in Argo
Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.
Specific Go Packages Affected
github.com/argoproj/argo-cd/util/session github.com/argoproj/argo-cd/server/session
Пакеты
Наименование
github.com/argoproj/argo-cd
go
Затронутые версииВерсия исправления
= 1.5.0
1.5.1
Связанные уязвимости
CVSS3: 5.3
nvd
почти 6 лет назад
Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.