First published: Thu Jun 06 2024(Updated: )
# Summary The CVE allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. # Details ## **Unauthenticated Access:** ### Endpoint: /api/v1/settings Description: This endpoint is accessible without any form of authentication as expected. All sensitive settings are hidden except `passwordPattern`. Patches A patch for this vulnerability has been released in the following Argo CD versions: v2.11.3 v2.10.12 v2.9.17 # Impact ## Unauthenticated Access: * Type: Unauthorized Information Disclosure. * Affected Parties: All users and administrators of the Argo CD instance. * Potential Risks: Exposure of sensitive configuration data, including but not limited to deployment settings, security configurations, and internal network information.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
go/github.com/argoproj/argo-cd/v2/server | >=2.11.0<2.11.3 | 2.11.3 |
go/github.com/argoproj/argo-cd/v2/server | >=2.10.0<2.10.12 | 2.10.12 |
go/github.com/argoproj/argo-cd/v2/server | >=2.9.3<2.9.17 | 2.9.17 |
Argoproj Argo Cd | >=2.9.3<2.9.17 | |
Argoproj Argo Cd | >=2.10.0<2.10.12 | |
Argoproj Argo Cd | >=2.11.0<2.11.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.