Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-41354: Argo Real Estate

An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications.

CVE
#auth

0

Skip to Content

About

How We Work

Executive Team

Locations

Services

Argo University

Video Archive

Events for Boards

Events for Building Staff

Properties

Careers

Development

Argo Residential

Board Member Portal

About

How We Work

Executive Team

Locations

Services

Argo University

Video Archive

Events for Boards

Events for Building Staff

Properties

Careers

Development

Argo Residential

Board Member Portal

Folder: About

Back

How We Work

Executive Team

Locations

Services

Folder: Argo University

Back

Video Archive

Events for Boards

Events for Building Staff

Properties

Careers

Development

Argo Residential

Board Member Portal

When you’re with Argo, we’re all with you.

Discover the “Team Argo” experience

On Your Corner, On Your Side ®

Argo makes the list!

Argo Real Estate was named one of Crain’s New York’s Best Places to Work 2022, an award that we had the honor of winning in 2021 as well. We couldn’t be more proud of how Argo team members pull together for our clients and for each other.

Related news

Red Hat Security Advisory 2023-1453-01

Red Hat Security Advisory 2023-1453-01 - An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Moderate.

Red Hat Security Advisory 2023-1454-01

Red Hat Security Advisory 2023-1454-01 - An update is now available for Red Hat OpenShift GitOps 1.7. Red Hat Product Security has rated this update as having a security impact of Moderate.

Red Hat Security Advisory 2023-1452-01

Red Hat Security Advisory 2023-1452-01 - An update is now available for Red Hat OpenShift GitOps 1.8. Red Hat Product Security has rated this update as having a security impact of Moderate.

GHSA-2q5c-qw9c-fmvq: Argo CD authenticated but unauthorized users may enumerate Application names via the API

### Impact All versions of Argo CD starting with v0.5.0 are vulnerable to an information disclosure bug allowing unauthorized users to enumerate application names by inspecting API error messages. An attacker could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges (social engineering). Many Argo CD API endpoints accept an application name as the only parameter. Since Argo CD RBAC requires both the application name and its configured project name (and, if apps-in-any-namespace is enabled, the application's namespace), Argo CD fetches the requested application before performing the RBAC check. If the application does not exist, the API returns a "not found". If the application does exist, and the user does not have access, the API returns an "unauthorized" error. By trial and error, an attacker can infer which applications exist ...

RHSA-2023:1454: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

An update is now available for Red Hat OpenShift GitOps 1.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41354: An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant ...

RHSA-2023:1453: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

An update is now available for Red Hat OpenShift GitOps 1.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41354: An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant ...

RHSA-2023:1452: Red Hat Security Advisory: Red Hat OpenShift GitOps security update

An update is now available for Red Hat OpenShift GitOps 1.8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-41354: An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant ...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907