Moderate severityNVD Advisory· Published Jun 6, 2024· Updated Aug 2, 2024
Unauthenticated Access to sensitive settings in Argo CD
CVE-2024-37152
Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/argoproj/argo-cd/v2/serverGo | >= 2.9.3, < 2.9.17 | 2.9.17 |
github.com/argoproj/argo-cd/v2/serverGo | >= 2.10.0, < 2.10.12 | 2.10.12 |
github.com/argoproj/argo-cd/v2/serverGo | >= 2.11.0, < 2.11.3 | 2.11.3 |
Affected products
3- osv-coords2 versions
>= 2.9.3, < 2.11.3+ 1 more
- (no CPE)range: >= 2.9.3, < 2.11.3
- (no CPE)range: >= 2.9.3, < 2.9.17
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-87p9-x75h-p4j2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-37152ghsaADVISORY
- github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771bghsax_refsource_MISCWEB
- github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2ghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2024-2902ghsaWEB
News mentions
0No linked articles in our index yet.