Vulnerability CVE-2018-21034


Published: 2020-04-09

Description:
In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git.

Type:

CWE-200

(Information Exposure)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Linuxfoundation -> Argo continuous delivery 
CNCF -> Argo continuous delivery 

 References:
https://github.com/argoproj/argo-cd/blob/a1afe44066fcd0a0ab90a02a23177164bbad42cf/util/diff/diff.go#L399
https://github.com/argoproj/argo-cd/issues/470
https://github.com/argoproj/argo-cd/pull/3088
https://www.soluble.ai/blog/argo-cves-2020

Copyright 2024, cxsecurity.com

 

Back to Top