CVE-2024-36106
Argo CD allows authenticated users to enumerate clusters by name
Severity Score
4.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. Es posible que los usuarios autenticados enumeren los clústeres por nombre inspeccionando los mensajes de error. También es posible enumerar los nombres de proyectos con clústeres con ámbito de proyecto si conoce los nombres de los clústeres. Esta vulnerabilidad se solucionó en 2.11.3, 2.10.12 y 2.9.17.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-05-20 CVE Reserved
- 2024-06-06 CVE Published
- 2024-08-08 EPSS Updated
- 2024-09-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-209: Generation of Error Message Containing Sensitive Information
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://github.com/argoproj/argo-cd/commit/c2647055c261a550e5da075793260f6524e65ad9 | X_refsource_misc | |
| https://github.com/argoproj/argo-cd/security/advisories/GHSA-3cqf-953p-h5cp | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Argoproj Search vendor "Argoproj" | Argo-cd Search vendor "Argoproj" for product "Argo-cd" | > 0.11.0 < 2.9.17 Search vendor "Argoproj" for product "Argo-cd" and version " > 0.11.0 < 2.9.17" | en |
Affected
| ||||||
| Argoproj Search vendor "Argoproj" | Argo-cd Search vendor "Argoproj" for product "Argo-cd" | >= 2.10.0 < 2.10.12 Search vendor "Argoproj" for product "Argo-cd" and version " >= 2.10.0 < 2.10.12" | en |
Affected
| ||||||
| Argoproj Search vendor "Argoproj" | Argo-cd Search vendor "Argoproj" for product "Argo-cd" | >= 2.11.0 < 2.11.3 Search vendor "Argoproj" for product "Argo-cd" and version " >= 2.11.0 < 2.11.3" | en |
Affected
| ||||||