Argoproj: >> Argo Cd >> 0.12.1 Security Vulnerabilities
As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication.
CVSS Score
7.5
EPSS Score
0.004
Published
2020-04-08
As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.
CVSS Score
7.5
EPSS Score
0.007
Published
2020-04-08
As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere.
CVSS Score
8.8
EPSS Score
0.005
Published
2020-04-08
Page 3