CVE-2024-37152

MEDIUM NUCLEI

Argoproj Argo CD < 2.9.17 - Missing Authentication

Title source: rule

Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.

Nuclei Templates (1)

Argo CD Unauthenticated Access to sensitive setting

MEDIUMVERIFIEDby DhiyaneshDk

Shodan: html:"Argo CD"

References (2)

[Patch] https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2

Scores

CVSS v3 5.3

EPSS 0.8020

EPSS Percentile 99.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-287 CWE-306

Status published

Products (2)

argoproj/argo-cd 2.9.3 - 2.9.17Go

argoproj/argo_cd 2.9.3 - 2.9.17

Published Jun 06, 2024

Tracked Since Feb 18, 2026