Argoproj: >> Argo Cd >> 0.10.6 Security Vulnerabilities
A flaw was found in argocd. Any unprivileged user is able to deploy argocd in their namespace and with the created ServiceAccount argocd-argocd-server, the unprivileged user is able to read all resources of the cluster including all secrets which might enable privilege escalations. The highest threat from this vulnerability is to data confidentiality.
CVSS Score
6.5
EPSS Score
0.002
Published
2022-02-16
Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file.
CVSS Score
7.7
EPSS Score
0.055
Published
2022-02-04
An issue was discovered in Argo CD before 1.8.4. Accessing the endpoint /api/version leaks internal information for the system, and this endpoint is not protected with authentication.
CVSS Score
7.5
EPSS Score
0.005
Published
2021-03-15
An issue was discovered in Argo CD before 1.8.4. Browser XSS protection is not activated due to the missing XSS protection header.
CVSS Score
6.1
EPSS Score
0.002
Published
2021-03-15
The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user.
CVSS Score
4.7
EPSS Score
0.003
Published
2021-03-03
In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled.
CVSS Score
6.5
EPSS Score
0.002
Published
2021-02-09
In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git.
CVSS Score
6.5
EPSS Score
0.007
Published
2020-04-09
As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-04-08
As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.
CVSS Score
7.5
EPSS Score
0.007
Published
2020-04-08
As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere.
CVSS Score
8.8
EPSS Score
0.005
Published
2020-04-08