CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-41666 – The Argo CD web terminal session does not handle the revocation of user permissions properly.
https://notcve.org/view.php?id=CVE-2024-41666
24 Jul 2024 — Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and grants permission to the user `p, role:myrole, exec, create, */*, allow`, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time... • https://drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing • CWE-269: Improper Privilege Management •
CVSS: 7.8EPSS: 3%CPEs: 3EXPL: 0CVE-2024-40634 – Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint
https://notcve.org/view.php?id=CVE-2024-40634
22 Jul 2024 — Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20. Argo CD es una herramient... • https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 25%CPEs: 3EXPL: 0CVE-2024-37152 – Unauthenticated Access to sensitive settings in Argo CD
https://notcve.org/view.php?id=CVE-2024-37152
06 Jun 2024 — Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17. Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. • https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36106 – Argo CD allows authenticated users to enumerate clusters by name
https://notcve.org/view.php?id=CVE-2024-36106
06 Jun 2024 — Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17. Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. • https://github.com/argoproj/argo-cd/commit/c2647055c261a550e5da075793260f6524e65ad9 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 9.6EPSS: 8%CPEs: 5EXPL: 1CVE-2024-31989 – ArgoCD Vulnerable to Use of Risky or Missing Cryptographic Algorithms in Redis Cache
https://notcve.org/view.php?id=CVE-2024-31989
21 May 2024 — Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to... • https://github.com/vt0x78/CVE-2024-31989 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation •