RSS   Podatności dla 'Argo continuous delivery'   RSS

2021-03-03
 
CVE-2021-23347

CWE-79
 

 
The package github.com/argoproj/argo-cd/cmd before 1.7.13, from 1.8.0 and before 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user.

 
2021-02-09
 
CVE-2021-26921

CWE-613
 

 
In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled.

 
2020-04-09
 
CVE-2018-21034

CWE-200
 

 
In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git.

 
2020-04-08
 
CVE-2020-8828

CWE-269
 

 
As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere.

 
 
CVE-2020-8827

CWE-287
 

 
As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.

 
 
CVE-2020-8826

CWE-384
 

 

 

 >>> Vendor: Linuxfoundation 31 Produkty
Foomatic
Cups-filters
XEN
Foomatic-filters
Open network operating system
RUNC
The update framework
DOJO
Dojox
Argo continuous delivery
CEPH
Free range routing
Jaeger
Osquery
Harbor
ACRN
Nats-server
Containerd
Spinnaker
DEX
Indy-node
BESU
Argo-cd
Umoci
Grpc swift
Cortex
Backstage
Open container initiative distribution specification
Open container initiative image format specification
Fabric
Auth backend


Copyright 2022, cxsecurity.com

 

Back to Top