Описание
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
A flaw was found in Argo-CD. There is an issue with unauthenticated information disclosure of settings data through an exposed API endpoint at /api/v1/settings.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Openshift Data Foundation 4 | odf4/odr-rhel8-operator | Not affected | ||
| Red Hat OpenShift GitOps | openshift-gitops-1/argocd-rhel8 | Will not fix | ||
| Red Hat OpenShift GitOps | openshift-gitops-1/gitops-operator-bundle | Will not fix | ||
| Red Hat OpenShift GitOps | openshift-gitops-1/gitops-rhel8 | Will not fix | ||
| Red Hat OpenShift GitOps | openshift-gitops-1/gitops-rhel8-operator | Will not fix | ||
| Red Hat OpenShift GitOps | openshift-gitops-argocd-rhel9-container | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
Unauthenticated Access to sensitive settings in Argo CD
Уязвимость декларативного инструмента непрерывной доставки GitOps для Kubernetes Argo CD, связанная с недостатками процедуры аутентификации, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
EPSS
5.3 Medium
CVSS3