Vulnerability Details CVE-2024-37152
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.244
EPSS Ranking 95.8%
CVSS Severity
CVSS v3 Score 5.3
References
- https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2
- https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2
Products affected by CVE-2024-37152
-
cpe:2.3:a:argoproj:argo_cd:2.10.0
-
cpe:2.3:a:argoproj:argo_cd:2.10.1
-
cpe:2.3:a:argoproj:argo_cd:2.10.10
-
cpe:2.3:a:argoproj:argo_cd:2.10.11
-
cpe:2.3:a:argoproj:argo_cd:2.10.2
-
cpe:2.3:a:argoproj:argo_cd:2.10.3
-
cpe:2.3:a:argoproj:argo_cd:2.10.4
-
cpe:2.3:a:argoproj:argo_cd:2.10.5
-
cpe:2.3:a:argoproj:argo_cd:2.10.6
-
cpe:2.3:a:argoproj:argo_cd:2.10.7
-
cpe:2.3:a:argoproj:argo_cd:2.10.8
-
cpe:2.3:a:argoproj:argo_cd:2.10.9
-
cpe:2.3:a:argoproj:argo_cd:2.11.0
-
cpe:2.3:a:argoproj:argo_cd:2.11.1
-
cpe:2.3:a:argoproj:argo_cd:2.11.2
-
cpe:2.3:a:argoproj:argo_cd:2.9.10
-
cpe:2.3:a:argoproj:argo_cd:2.9.11
-
cpe:2.3:a:argoproj:argo_cd:2.9.12
-
cpe:2.3:a:argoproj:argo_cd:2.9.13
-
cpe:2.3:a:argoproj:argo_cd:2.9.14
-
cpe:2.3:a:argoproj:argo_cd:2.9.15
-
cpe:2.3:a:argoproj:argo_cd:2.9.16
-
cpe:2.3:a:argoproj:argo_cd:2.9.3
-
cpe:2.3:a:argoproj:argo_cd:2.9.4
-
cpe:2.3:a:argoproj:argo_cd:2.9.5
-
cpe:2.3:a:argoproj:argo_cd:2.9.6
-
cpe:2.3:a:argoproj:argo_cd:2.9.7
-
cpe:2.3:a:argoproj:argo_cd:2.9.8
-
cpe:2.3:a:argoproj:argo_cd:2.9.9