CVE-2020-8827
published 2020-04-08CVE-2020-8827: As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
2.16%
79.9th percentile
As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | < 2.8.13 | 2.8.13 |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | < 1.5.0 | 1.5.0 |
| argoproj | argo_cd | < 2.8.13 | 2.8.13 |
| argoproj | argo_cd | >= 2.10.0 < 2.10.4 | 2.10.4 |
| argoproj | argo_cd | >= 2.9.0 < 2.9.9 | 2.9.9 |
| github.com | argoproj_argo-cd | >= 0 < 1.5.1 | 1.5.1 |
| github.com | argoproj_argo-cd_v2 | >= 0 < 2.8.13 | 2.8.13 |
| github.com | argoproj_argo-cd_v2 | >= 2.10.0 < 2.10.4 | 2.10.4 |
| github.com | argoproj_argo-cd_v2 | >= 2.9.0 < 2.9.9 | 2.9.9 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Improper Restriction of Excessive Authentication Attempts in Argo API in github.com/argoproj/argo-cd
osv·2024-08-21
CVE-2020-8827 Improper Restriction of Excessive Authentication Attempts in Argo API in github.com/argoproj/argo-cd
Improper Restriction of Excessive Authentication Attempts in Argo API in github.com/argoproj/argo-cd
Improper Restriction of Excessive Authentication Attempts in Argo API in github.com/argoproj/argo-cd
GHSA
Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
ghsa·2024-03-18
CVE-2024-21662 [MEDIUM] CWE-307 Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
### Summary
An attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a previously [patched CVE](https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force) intended to protect against brute-force attacks.
### Details
The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. This cache is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by bombarding it with log
OSV
Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
osv·2024-03-18
CVE-2024-21652 [MEDIUM] Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
### Summary
An attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a previously [patched CVE](https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force) intended to protect against brute-force attacks.
### Details
The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. This cache is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by bombarding it with log
GHSA
Improper Restriction of Excessive Authentication Attempts in Argo API
ghsa·2021-07-26
CVE-2020-8827 [HIGH] CWE-307 Improper Restriction of Excessive Authentication Attempts in Argo API
Improper Restriction of Excessive Authentication Attempts in Argo API
As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.
### Specific Go Packages Affected
github.com/argoproj/argo-cd/util/cache
OSV
Improper Restriction of Excessive Authentication Attempts in Argo API
osv·2021-07-26
CVE-2020-8827 [HIGH] Improper Restriction of Excessive Authentication Attempts in Argo API
Improper Restriction of Excessive Authentication Attempts in Argo API
As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.
### Specific Go Packages Affected
github.com/argoproj/argo-cd/util/cache
Red Hat
argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
vendor_redhat·2024-03-18·CVSS 7.5
CVE-2024-21662 [HIGH] CWE-307 argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a patch for CVE-2020-8827 intended to protect against brute-force attacks. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. This cache is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by bombarding it with login attempts for differen
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://argoproj.github.io/argo-cd/operator-manual/user-management/#disable-admin-userhttps://argoproj.github.io/argo-cd/security_considerations/https://github.com/argoproj/argo/releaseshttps://www.soluble.ai/blog/argo-cves-2020https://argoproj.github.io/argo-cd/operator-manual/user-management/#disable-admin-userhttps://argoproj.github.io/argo-cd/security_considerations/https://github.com/argoproj/argo/releaseshttps://www.soluble.ai/blog/argo-cves-2020
2020-04-08
Published