GHSA-87p9-x75h-p4j2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-87p9-x75h-p4j2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-87p9-x75h-p4j2/GHSA-87p9-x75h-p4j2.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-87p9-x75h-p4j2
- Aliases
- Published
- 2024-06-06T21:27:43Z
- Modified
- 2024-06-17T15:26:55Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Unauthenticated Access to sensitive settings in Argo CD
- Details
-
Summary
The CVE allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication.
Details
Unauthenticated Access:
Endpoint: /api/v1/settings
Description: This endpoint is accessible without any form of authentication as expected. All sensitive settings are hidden except
passwordPattern.Patches A patch for this vulnerability has been released in the following Argo CD versions:
v2.11.3 v2.10.12 v2.9.17
Impact
Unauthenticated Access:
- Type: Unauthorized Information Disclosure.
- Affected Parties: All users and administrators of the Argo CD instance.
- Potential Risks: Exposure of sensitive configuration data, including but not limited to deployment settings, security configurations, and internal network information.
- Database specific
{ "nvd_published_at": "2024-06-06T16:15:13Z", "cwe_ids": [ "CWE-22", "CWE-287", "CWE-306", "CWE-384" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-06-06T21:27:43Z" }- References
Affected packages
Go / github.com/argoproj/argo-cd/v2/server
Package
- Name
- github.com/argoproj/argo-cd/v2/server
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/argoproj/argo-cd/v2/server
Go / github.com/argoproj/argo-cd/v2/server
Package
- Name
- github.com/argoproj/argo-cd/v2/server
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/argoproj/argo-cd/v2/server
Go / github.com/argoproj/argo-cd/v2/server
Package
- Name
- github.com/argoproj/argo-cd/v2/server
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/argoproj/argo-cd/v2/server