First published: Wed May 19 2021(Updated: )
A flaw was found in argocd. Any unprivileged user is able to deploy argocd in their namespace and with the created ServiceAccount argocd-argocd-server, the unprivileged user is able to read all resources of the cluster including all secrets which might enable privilege escalations. The highest threat from this vulnerability is to data confidentiality.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Linuxfoundation Argo-cd | <1.1.1 | |
Redhat Openshift Gitops | =1.1 | |
redhat/argocd | <1.1.1 | 1.1.1 |
Argoproj Argo Cd | <1.1.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this flaw in argocd is CVE-2021-3557.
The severity of CVE-2021-3557 is medium.
CVE-2021-3557 allows any unprivileged user to deploy argocd in their namespace and read all resources of the cluster, including secrets, potentially enabling privilege escalations.
The affected software versions are Argo CD up to version 1.1.1 and Red Hat OpenShift GitOps version 1.1.
To fix CVE-2021-3557, update Argo CD to version 1.1.2 or later.