CVE-2024-37152
Unauthenticated Access to sensitive settings in Argo CD
Severity Score
5.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. La vulnerabilidad permite el acceso no autorizado a la configuración confidencial expuesta por el endpoint /api/v1/settings sin autenticación. Todas las configuraciones confidenciales están ocultas excepto el patrón de contraseña. Esta vulnerabilidad se solucionó en 2.11.3, 2.10.12 y 2.9.17.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-06-03 CVE Reserved
- 2024-06-06 CVE Published
- 2024-08-02 CVE Updated
- 2024-11-09 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-287: Improper Authentication
- CWE-306: Missing Authentication for Critical Function
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b | X_refsource_misc | |
| https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Argoproj Search vendor "Argoproj" | Argo-cd Search vendor "Argoproj" for product "Argo-cd" | >= 2.9.3 < 2.9.17 Search vendor "Argoproj" for product "Argo-cd" and version " >= 2.9.3 < 2.9.17" | en |
Affected
| ||||||
| Argoproj Search vendor "Argoproj" | Argo-cd Search vendor "Argoproj" for product "Argo-cd" | >= 2.10.0 < 2.10.12 Search vendor "Argoproj" for product "Argo-cd" and version " >= 2.10.0 < 2.10.12" | en |
Affected
| ||||||
| Argoproj Search vendor "Argoproj" | Argo-cd Search vendor "Argoproj" for product "Argo-cd" | >= 2.11.0 < 2.11.3 Search vendor "Argoproj" for product "Argo-cd" and version " >= 2.11.0 < 2.11.3" | en |
Affected
| ||||||