Filtered by vendor Argoproj
Subscribe
Total
64 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8827 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence. | |||||
| CVE-2020-8826 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication. | |||||
| CVE-2020-11576 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise. | |||||
| CVE-2018-21034 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git. | |||||