CVE-2022-41354
published 2023-03-27CVE-2022-41354: An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications.
PriorityP424medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.85%
53.4th percentile
An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | argoproj_argo-cd | 0.5.0 – 1.8.7 | — |
| github.com | argoproj_argo-cd | >= 0.5.0 | — |
| github.com | argoproj_argo-cd_v2 | >= 0 < 2.4.28 | 2.4.28 |
| github.com | argoproj_argo-cd_v2 | >= 2.5.0 < 2.5.16 | 2.5.16 |
| github.com | argoproj_argo-cd_v2 | >= 2.6.0 < 2.6.7 | 2.6.7 |
| linuxfoundation | argo-cd | >= 0.5.0 < 2.4.28 | 2.4.28 |
| linuxfoundation | argo-cd | >= 2.5.0 < 2.5.16 | 2.5.16 |
| linuxfoundation | argo-cd | >= 2.6.0 < 2.6.7 | 2.6.7 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Argo CD authenticated but unauthorized users may enumerate Application names via the API in github.com/argoproj/argo-cd
osv·2024-08-20
CVE-2022-41354 Argo CD authenticated but unauthorized users may enumerate Application names via the API in github.com/argoproj/argo-cd
Argo CD authenticated but unauthorized users may enumerate Application names via the API in github.com/argoproj/argo-cd
Argo CD authenticated but unauthorized users may enumerate Application names via the API in github.com/argoproj/argo-cd
OSV
Argo CD authenticated but unauthorized users may enumerate Application names via the API
osv·2023-03-23
CVE-2022-41354 [MEDIUM] Argo CD authenticated but unauthorized users may enumerate Application names via the API
Argo CD authenticated but unauthorized users may enumerate Application names via the API
### Impact
All versions of Argo CD starting with v0.5.0 are vulnerable to an information disclosure bug allowing unauthorized users to enumerate application names by inspecting API error messages. An attacker could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges (social engineering).
Many Argo CD API endpoints accept an application name as the only parameter. Since Argo CD RBAC requires both the application name and its configured project name (and, if apps-in-any-namespace is enabled, the application's namespace), Argo CD fetches the reques
GHSA
Argo CD authenticated but unauthorized users may enumerate Application names via the API
ghsa·2023-03-23
CVE-2022-41354 [MEDIUM] CWE-203 Argo CD authenticated but unauthorized users may enumerate Application names via the API
Argo CD authenticated but unauthorized users may enumerate Application names via the API
### Impact
All versions of Argo CD starting with v0.5.0 are vulnerable to an information disclosure bug allowing unauthorized users to enumerate application names by inspecting API error messages. An attacker could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges (social engineering).
Many Argo CD API endpoints accept an application name as the only parameter. Since Argo CD RBAC requires both the application name and its configured project name (and, if apps-in-any-namespace is enabled, the application's namespace), Argo CD fetches the reques
Red Hat
ArgoCD: Authenticated but unauthorized users may enumerate Application names via the API
vendor_redhat·2023-03-23·CVSS 4.3
CVE-2022-41354 [MEDIUM] ArgoCD: Authenticated but unauthorized users may enumerate Application names via the API
ArgoCD: Authenticated but unauthorized users may enumerate Application names via the API
An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications.
An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://argo.comhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-2q5c-qw9c-fmvqhttps://github.com/chunklhit/cve/blob/master/argo/argo-cd/application_enumeration.mdhttp://argo.comhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-2q5c-qw9c-fmvqhttps://github.com/chunklhit/cve/blob/master/argo/argo-cd/application_enumeration.md
2023-03-27
Published