Headline

GHSA-87p9-x75h-p4j2: Unauthenticated Access to sensitive settings in Argo CD

The CVE allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication.

Description: This endpoint is accessible without any form of authentication as expected. All sensitive settings are hidden except passwordPattern.

Patches A patch for this vulnerability has been released in the following Argo CD versions:

v2.11.3 v2.10.12 v2.9.17

Type: Unauthorized Information Disclosure.
Affected Parties: All users and administrators of the Argo CD instance.
Potential Risks: Exposure of sensitive configuration data, including but not limited to deployment settings, security configurations, and internal network information.

7 months ago

Unauthenticated Access to sensitive settings in Argo CD

Moderate severity GitHub Reviewed Published Jun 6, 2024 in argoproj/argo-cd • Updated Jun 6, 2024

Package

gomod github.com/argoproj/argo-cd/v2/server (Go)

Affected versions

>= 2.9.3, < 2.9.17

>= 2.10.0, < 2.10.12

>= 2.11.0, < 2.11.3

Patched versions

2.9.17

2.10.12

2.11.3

Summary

The CVE allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication.

Details******Unauthenticated Access:******Endpoint: /api/v1/settings

Description: This endpoint is accessible without any form of authentication as expected. All sensitive settings are hidden except passwordPattern.

Patches
A patch for this vulnerability has been released in the following Argo CD versions:

v2.11.3
v2.10.12
v2.9.17

Impact****Unauthenticated Access:

Type: Unauthorized Information Disclosure.
Affected Parties: All users and administrators of the Argo CD instance.
Potential Risks: Exposure of sensitive configuration data, including but not limited to deployment settings, security configurations, and internal network information.

References