First published: Wed Apr 08 2020(Updated: )
As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
go/github.com/argoproj/argo-cd | <=1.8.0 | |
Linuxfoundation Argo Continuous Delivery | <1.5.0 | |
Argoproj Argo Cd | <1.5.0 | |
<1.5.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-8828 is a vulnerability in Argo CD versions 1.8.0 and prior, where the default admin password is set to the argocd-server pod name.
CVE-2020-8828 has a severity rating of 8.8 (high).
CVE-2020-8828 can be exploited by insiders with access to the cluster or logs, allowing them to abuse the default admin password for privilege escalation.
The most realistic threat for CVE-2020-8828 is a malicious insider with access to the cluster or logs.
To fix CVE-2020-8828, it is recommended to upgrade Argo CD to a version that is not affected by this vulnerability.