CVE-2024-37152

MEDIUM NUCLEI

Argo CD 2.9.3-2.9.16 - Unauthenticated Sensitive Settings Exposure via /api/v1/settings Endpoint

Title source: llm

Exploitation Summary

CVE-2024-37152 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.

Nuclei Templates (1)

Argo CD Unauthenticated Access to sensitive setting

MEDIUMVERIFIEDby DhiyaneshDk

Shodan: html:"Argo CD"

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2

Patch x_refsource_misc

https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b

View Patch ZIP pw:eip

Scores

CVSS v3 5.3

EPSS 0.0235

EPSS Percentile 81.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-287 CWE-306

Status published

Products (2)

argoproj/argo-cd 2.9.3 - 2.9.17Go

argoproj/argo_cd 2.9.3 - 2.9.17

Published Jun 06, 2024

Tracked Since Feb 18, 2026