Moderate severityNVD Advisory· Published Jun 6, 2024· Updated Aug 2, 2024
Unauthenticated Access to sensitive settings in Argo CD
CVE-2024-37152
Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/argoproj/argo-cd/v2/serverGo | >= 2.9.3, < 2.9.17 | 2.9.17 |
github.com/argoproj/argo-cd/v2/serverGo | >= 2.10.0, < 2.10.12 | 2.10.12 |
github.com/argoproj/argo-cd/v2/serverGo | >= 2.11.0, < 2.11.3 | 2.11.3 |
Affected products
1Patches
1256d90178b11Merge pull request from GHSA-87p9-x75h-p4j2
1 file changed · +3 −1
server/settings/settings.go+3 −1 modified@@ -109,7 +109,6 @@ func (s *Server) Get(ctx context.Context, q *settingspkg.SettingsQuery) (*settin UserLoginsDisabled: userLoginsDisabled, KustomizeVersions: kustomizeVersions, UiCssURL: argoCDSettings.UiCssURL, - PasswordPattern: argoCDSettings.PasswordPattern, TrackingMethod: trackingMethod, ExecEnabled: argoCDSettings.ExecEnabled, AppsInAnyNamespaceEnabled: s.appsInAnyNamespaceEnabled, @@ -122,6 +121,9 @@ func (s *Server) Get(ctx context.Context, q *settingspkg.SettingsQuery) (*settin set.UiBannerPosition = argoCDSettings.UiBannerPosition set.ControllerNamespace = s.mgr.GetNamespace() } + if sessionmgr.LoggedIn(ctx) { + set.PasswordPattern = argoCDSettings.PasswordPattern + } if argoCDSettings.DexConfig != "" { var cfg settingspkg.DexConfig err = yaml.Unmarshal([]byte(argoCDSettings.DexConfig), &cfg)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-87p9-x75h-p4j2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-37152ghsaADVISORY
- github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771bghsax_refsource_MISCWEB
- github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2024-2902ghsaWEB
News mentions
0No linked articles in our index yet.