CVE-2018-21034

Опубликовано: 09 апр. 2020

Источник: nvd

CVSS3: 6.5

CVSS2: 4

EPSS Низкий

Описание

In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git.

Ссылки

https://github.com/argoproj/argo-cd/blob/a1afe44066fcd0a0ab90a02a23177164bbad42cf/util/diff/diff.go#L399
Exploit
Third Party Advisory
https://github.com/argoproj/argo-cd/issues/470
Third Party Advisory
https://github.com/argoproj/argo-cd/pull/3088
Patch
Third Party Advisory
https://www.soluble.ai/blog/argo-cves-2020
Exploit
Third Party Advisory
https://github.com/argoproj/argo-cd/blob/a1afe44066fcd0a0ab90a02a23177164bbad42cf/util/diff/diff.go#L399
Exploit
Third Party Advisory
https://github.com/argoproj/argo-cd/issues/470
Third Party Advisory
https://github.com/argoproj/argo-cd/pull/3088
Patch
Third Party Advisory
https://www.soluble.ai/blog/argo-cves-2020
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*

Версия до 1.4.2 (включая)

EPSS

Процентиль: 75%

0.00884

Низкий

6.5 Medium

CVSS3

4 Medium

CVSS2

Дефекты

CWE-200

Связанные уязвимости

GHSA-xj7v-c82w-92q2