First published: Wed Apr 08 2020(Updated: )
Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
go/github.com/argoproj/argo-cd | =1.5.0 | 1.5.1 |
Linuxfoundation Argo Continuous Delivery | =1.5.0 | |
Argoproj Argo Cd | =1.5.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-11576 is a user-enumeration vulnerability in Argo version 1.5.0 that allows attackers to determine the usernames of valid non-SSO accounts.
CVE-2020-11576 has a severity level of medium with a CVSS score of 5.3.
To fix CVE-2020-11576, update to Argo version 1.5.1, which contains the necessary security fixes.
CVE-2020-11576 affects the Argo Continuous Delivery package version 1.5.0 and the Argo CD package versions 1.5.0.
Yes, you can find references for CVE-2020-11576 at the following links: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-11576), [Argo CD Pull Request](https://github.com/argoproj/argo-cd/pull/3215), [Argo CD Commit](https://github.com/argoproj/argo-cd/commit/35a7350b7444bcaf53ee0bb11b9d8e3ae4b717a1).