VYPR

Argo CD

by Argo CD

CVEs (5)

  • CVE-2021-26923HigMar 15, 2021
    risk 0.49cvss 7.5epss 0.01

    An issue was discovered in Argo CD before 1.8.4. Accessing the endpoint /api/version leaks internal information for the system, and this endpoint is not protected with authentication.

  • CVE-2020-8826HigApr 8, 2020
    risk 0.49cvss 7.5epss 0.02

    As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication.

  • CVE-2021-26924MedMar 15, 2021
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in Argo CD before 1.8.4. Browser XSS protection is not activated due to the missing XSS protection header.

  • CVE-2021-23135MedMay 12, 2021
    risk 0.38cvss 5.9epss 0.00

    Exposure of System Data to an Unauthorized Control Sphere vulnerability in web UI of Argo CD allows attacker to cause leaked secret data into web UI error messages and logs. This issue affects Argo CD 1.8 versions prior to 1.8.7; 1.7 versions prior to 1.7.14.

  • CVE-2021-26921MedFeb 9, 2021
    risk 0.00cvss 6.5epss 0.01

    In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled.