Argo CD
by Argo CD
CVEs (5)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-26923 | Hig | 0.49 | 7.5 | 0.01 | Mar 15, 2021 | An issue was discovered in Argo CD before 1.8.4. Accessing the endpoint /api/version leaks internal information for the system, and this endpoint is not protected with authentication. | ||
| CVE-2020-8826 | Hig | 0.49 | 7.5 | 0.02 | Apr 8, 2020 | As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication. | ||
| CVE-2021-26924 | Med | 0.40 | 6.1 | 0.01 | Mar 15, 2021 | An issue was discovered in Argo CD before 1.8.4. Browser XSS protection is not activated due to the missing XSS protection header. | ||
| CVE-2021-23135 | Med | 0.38 | 5.9 | 0.00 | May 12, 2021 | Exposure of System Data to an Unauthorized Control Sphere vulnerability in web UI of Argo CD allows attacker to cause leaked secret data into web UI error messages and logs. This issue affects Argo CD 1.8 versions prior to 1.8.7; 1.7 versions prior to 1.7.14. | ||
| CVE-2021-26921 | Med | 0.00 | 6.5 | 0.01 | Feb 9, 2021 | In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled. |
- risk 0.49cvss 7.5epss 0.01
An issue was discovered in Argo CD before 1.8.4. Accessing the endpoint /api/version leaks internal information for the system, and this endpoint is not protected with authentication.
- risk 0.49cvss 7.5epss 0.02
As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication.
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in Argo CD before 1.8.4. Browser XSS protection is not activated due to the missing XSS protection header.
- risk 0.38cvss 5.9epss 0.00
Exposure of System Data to an Unauthorized Control Sphere vulnerability in web UI of Argo CD allows attacker to cause leaked secret data into web UI error messages and logs. This issue affects Argo CD 1.8 versions prior to 1.8.7; 1.7 versions prior to 1.7.14.
- risk 0.00cvss 6.5epss 0.01
In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled.