Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
linuxfoundation argo continuous delivery vulnerabilities and exploits
(subscribe to this query)
3.5
CVSSv2
CVE-2021-23347
The package github.com/argoproj/argo-cd/cmd prior to 1.7.13, from 1.8.0 and prior to 1.8.6 are vulnerable to Cross-site Scripting (XSS) the SSO provider connected to Argo CD would have to send back a malicious error message containing JavaScript to the user.
Linuxfoundation Argo Continuous Delivery
5
CVSSv2
CVE-2021-26921
In util/session/sessionmanager.go in Argo CD prior to 1.8.4, tokens continue to work even when the user account is disabled.
Linuxfoundation Argo Continuous Delivery
4
CVSSv2
CVE-2018-21034
In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git.
Linuxfoundation Argo Continuous Delivery
5
CVSSv2
CVE-2020-8827
As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.
Linuxfoundation Argo Continuous Delivery
5
CVSSv2
CVE-2020-8826
As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication.
Linuxfoundation Argo Continuous Delivery
6.5
CVSSv2
CVE-2020-8828
As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are n...
Linuxfoundation Argo Continuous Delivery
5
CVSSv2
CVE-2020-11576
Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed malicious users to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.
Linuxfoundation Argo Continuous Delivery 1.5.0
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
camera
bypass
CVE-2024-3592
CVE-2024-37383
CVE-2024-24919
CVE-2024-27822
CVE-2024-36788
CVE-2024-36789
man-in-the-middle
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3