CVE-2024-36106
published 2024-06-06CVE-2024-36106: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting…
PriorityP420medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.41%
32.6th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | < 2.9.17 | 2.9.17 |
| argoproj | argo_cd | >= 2.10.0 < 2.10.12 | 2.10.12 |
| argoproj | argo_cd | >= 2.11.0 < 2.11.3 | 2.11.3 |
| github.com | argoproj_argo-cd | >= 0.11.0 < 2.9.17 | 2.9.17 |
| github.com | argoproj_argo-cd | >= 0.11.0 | — |
| github.com | argoproj_argo-cd | >= 2.10.0 < 2.10.12 | 2.10.12 |
| github.com | argoproj_argo-cd | >= 2.11.0 < 2.11.3 | 2.11.3 |
| github.com | argoproj_argo-cd_v2 | >= 0 < 2.9.17 | 2.9.17 |
| github.com | argoproj_argo-cd_v2 | >= 2.10.0 < 2.10.12 | 2.10.12 |
| github.com | argoproj_argo-cd_v2 | >= 2.11.0 < 2.11.3 | 2.11.3 |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd
osv·2024-06-28
CVE-2024-36106 Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd
Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd
Argo-cd authenticated users can enumerate clusters by name in github.com/argoproj/argo-cd
OSV
Argo-cd authenticated users can enumerate clusters by name
osv·2024-06-06
CVE-2024-36106 [MEDIUM] Argo-cd authenticated users can enumerate clusters by name
Argo-cd authenticated users can enumerate clusters by name
### Impact
It’s possible for authenticated users to enumerate clusters by name by inspecting error messages:
```
$ curl -k 'https://localhost:8080/api/v1/clusters/in-cluster?id.type=name' -H "Authorization:
Bearer $token"
{"error":"permission denied: clusters, get, , sub: alice, iat: 2022-11-04T20:25:44Z","code":7,"message":"permission denied: clusters, get, , sub: alice, iat: 2022-11-04T20:25:44Z"}⏎
$ curl -k 'https://localhost:8080/api/v1/clusters/does-not-exist?id.type=name' -H "Authorizati
on: Bearer $token"
{"error":"permission denied","code":7,"message":"permission denied"}
```
It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters.
```
curl -k 'https://loc
GHSA
Argo-cd authenticated users can enumerate clusters by name
ghsa·2024-06-06
CVE-2024-36106 [MEDIUM] CWE-209 Argo-cd authenticated users can enumerate clusters by name
Argo-cd authenticated users can enumerate clusters by name
### Impact
It’s possible for authenticated users to enumerate clusters by name by inspecting error messages:
```
$ curl -k 'https://localhost:8080/api/v1/clusters/in-cluster?id.type=name' -H "Authorization:
Bearer $token"
{"error":"permission denied: clusters, get, , sub: alice, iat: 2022-11-04T20:25:44Z","code":7,"message":"permission denied: clusters, get, , sub: alice, iat: 2022-11-04T20:25:44Z"}⏎
$ curl -k 'https://localhost:8080/api/v1/clusters/does-not-exist?id.type=name' -H "Authorizati
on: Bearer $token"
{"error":"permission denied","code":7,"message":"permission denied"}
```
It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters.
```
curl -k 'https://loc
Red Hat
argo-cd: Error messages contain sensitive information
vendor_redhat·2024-06-06·CVSS 4.3
CVE-2024-36106 [MEDIUM] CWE-209 argo-cd: Error messages contain sensitive information
argo-cd: Error messages contain sensitive information
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
A flaw was found in Argo-CD. Error messages in Argo-CD may contain sensitive information, such as clusters and project names, which allows authenticated malicious users to enumerate possible targets.
Package: odf4/odr-rhel8-operator (Red Hat Openshift Data Foundation 4) - Not affected
Package: openshift-gitops-1/argocd-rhel8 (Red Hat OpenShift GitOps) - Will not fix
Package: openshift
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/argoproj/argo-cd/commit/c2647055c261a550e5da075793260f6524e65ad9https://github.com/argoproj/argo-cd/security/advisories/GHSA-3cqf-953p-h5cphttps://github.com/argoproj/argo-cd/commit/c2647055c261a550e5da075793260f6524e65ad9https://github.com/argoproj/argo-cd/security/advisories/GHSA-3cqf-953p-h5cp
2024-06-06
Published