Description
Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/argoproj/argo-cd/pull/3215
Patch, Third Party Advisory x_refsource_misc
https://github.com/argoproj/argo-cd/commit/35a7350b7444bcaf53ee0bb11b9d8e3ae4b717a1
Third Party Advisory x_refsource_misc
https://www.soluble.ai/blog/argo-cves-2020
Scores
CVSS v3
5.3
EPSS
0.0025
EPSS Percentile
47.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-203
Status
published
Products (2)
argoproj/argo-cd
1.5.0 - 1.5.1Go
argoproj/argo_cd
1.5.0
Published
Apr 08, 2020
Tracked Since
Feb 18, 2026