CVE-2020-11576
published 2020-04-08CVE-2020-11576: Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO)…
PriorityP426medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
1.92%
77.4th percentile
Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo_cd | — | — |
| github.com | argoproj_argo-cd | >= 1.5.0 < 1.5.1 | 1.5.1 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Observable Discrepancy in Argo in github.com/argoproj/argo-cd
osv·2024-08-21
CVE-2020-11576 Observable Discrepancy in Argo in github.com/argoproj/argo-cd
Observable Discrepancy in Argo in github.com/argoproj/argo-cd
Observable Discrepancy in Argo in github.com/argoproj/argo-cd
OSV
Observable Discrepancy in Argo
osv·2021-12-09
CVE-2020-11576 [MEDIUM] Observable Discrepancy in Argo
Observable Discrepancy in Argo
Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.
### Specific Go Packages Affected
github.com/argoproj/argo-cd/util/session
github.com/argoproj/argo-cd/server/session
GHSA
Observable Discrepancy in Argo
ghsa·2021-12-09
CVE-2020-11576 [MEDIUM] CWE-203 Observable Discrepancy in Argo
Observable Discrepancy in Argo
Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.
### Specific Go Packages Affected
github.com/argoproj/argo-cd/util/session
github.com/argoproj/argo-cd/server/session
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/argoproj/argo-cd/commit/35a7350b7444bcaf53ee0bb11b9d8e3ae4b717a1https://github.com/argoproj/argo-cd/pull/3215https://www.soluble.ai/blog/argo-cves-2020https://github.com/argoproj/argo-cd/commit/35a7350b7444bcaf53ee0bb11b9d8e3ae4b717a1https://github.com/argoproj/argo-cd/pull/3215https://www.soluble.ai/blog/argo-cves-2020
2020-04-08
Published