Vulnerabilities for Argo continuous delivery (...) - CXSECURITY.COM

Vulnerabilities for 'Argo continuous delivery'

2021-03-03

CVE-2021-23347

CWE-79

The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user.

2021-02-09

CVE-2021-26921

CWE-613

In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled.

2020-04-09

CVE-2018-21034

CWE-200

In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git.

2020-04-08

CVE-2020-8828

CWE-269

As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere.

CVE-2020-8827

CWE-287

As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.

CVE-2020-8826

CWE-384

As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration�??there was no refresh or forced re-authentication.

>>> Vendor: Linuxfoundation 32 Products

Foomatic-filters

Open network operating system

The update framework

Argo continuous delivery

Free range routing

Open container initiative distribution specification

Open container initiative image format specification

Copyright 2024, cxsecurity.com