CVE-2024-37152

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by  /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
GitHub_MCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 95%
VendorProductVersion
argoprojargo_cd
2.9.3 ≤
𝑥
< 2.9.17
argoprojargo_cd
2.10.0 ≤
𝑥
< 2.10.12
argoprojargo_cd
2.11.0 ≤
𝑥
< 2.11.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b
https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2
https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b
https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2