CVE-2024-37152
published 2024-06-06CVE-2024-37152: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by…
PriorityP258high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.35%
81.6th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | >= 2.10.0 < 2.10.12 | 2.10.12 |
| argoproj | argo_cd | >= 2.11.0 < 2.11.3 | 2.11.3 |
| argoproj | argo_cd | >= 2.9.3 < 2.9.17 | 2.9.17 |
| github.com | argoproj_argo-cd_v2 | >= 2.10.0 < 2.10.12 | 2.10.12 |
| github.com | argoproj_argo-cd_v2 | >= 2.11.0 < 2.11.3 | 2.11.3 |
| github.com | argoproj_argo-cd_v2 | >= 2.9.3 < 2.9.17 | 2.9.17 |
| github.com | argoproj_argo-cd_v2_server | >= 2.10.0 < 2.10.12 | 2.10.12 |
| github.com | argoproj_argo-cd_v2_server | >= 2.11.0 < 2.11.3 | 2.11.3 |
| github.com | argoproj_argo-cd_v2_server | >= 2.9.3 < 2.9.17 | 2.9.17 |
Detection & IOCsextracted from sources · hover to see the quote
- →Unauthenticated GET request to /api/v1/settings returns HTTP 200 with JSON body containing both '"passwordPattern":' and '"appLabelKey":' fields — confirms vulnerable Argo CD instance.
- →Response Content-Type of 'application/json' combined with HTTP 200 status on the unauthenticated /api/v1/settings endpoint is a strong indicator of exploitation or probing.
- →All sensitive settings are hidden in the response except 'passwordPattern', making its presence in an unauthenticated response the key detection signal. ↗
- ·The vulnerability is fixed in Argo CD versions 2.11.3, 2.10.12, and 2.9.17. Detection rules targeting /api/v1/settings will produce false positives on patched instances that still return JSON but no longer expose sensitive fields. ↗
- ·Red Hat OpenShift GitOps packages (argocd-rhel8, argocd-rhel9, gitops-operator-bundle, gitops-rhel8, gitops-rhel8-operator) are marked 'Will not fix', meaning deployments on these packages remain permanently vulnerable and should be monitored. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Unauthenticated Access to sensitive settings in Argo CD in github.com/argoproj/argo-cd
osv·2024-06-14
CVE-2024-37152 Unauthenticated Access to sensitive settings in Argo CD in github.com/argoproj/argo-cd
Unauthenticated Access to sensitive settings in Argo CD in github.com/argoproj/argo-cd
Unauthenticated Access to sensitive settings in Argo CD in github.com/argoproj/argo-cd
GHSA
Unauthenticated Access to sensitive settings in Argo CD
ghsa·2024-06-06
CVE-2024-37152 [MEDIUM] CWE-22 Unauthenticated Access to sensitive settings in Argo CD
Unauthenticated Access to sensitive settings in Argo CD
# Summary
The CVE allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication.
# Details
## **Unauthenticated Access:**
### Endpoint: /api/v1/settings
Description: This endpoint is accessible without any form of authentication as expected. All sensitive settings are hidden except `passwordPattern`.
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
v2.11.3
v2.10.12
v2.9.17
# Impact
## Unauthenticated Access:
* Type: Unauthorized Information Disclosure.
* Affected Parties: All users and administrators of the Argo CD instance.
* Potential Risks: Exposure of sensitive configuration data, including but not limited to deployment settings,
OSV
Unauthenticated Access to sensitive settings in Argo CD
osv·2024-06-06
CVE-2024-37152 [MEDIUM] Unauthenticated Access to sensitive settings in Argo CD
Unauthenticated Access to sensitive settings in Argo CD
# Summary
The CVE allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication.
# Details
## **Unauthenticated Access:**
### Endpoint: /api/v1/settings
Description: This endpoint is accessible without any form of authentication as expected. All sensitive settings are hidden except `passwordPattern`.
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
v2.11.3
v2.10.12
v2.9.17
# Impact
## Unauthenticated Access:
* Type: Unauthorized Information Disclosure.
* Affected Parties: All users and administrators of the Argo CD instance.
* Potential Risks: Exposure of sensitive configuration data, including but not limited to deployment settings,
Red Hat
argo-cd: Unauthenticated information disclosure in /api/v1/settings endpoint
vendor_redhat·2024-06-06·CVSS 5.3
CVE-2024-37152 [MEDIUM] CWE-200 argo-cd: Unauthenticated information disclosure in /api/v1/settings endpoint
argo-cd: Unauthenticated information disclosure in /api/v1/settings endpoint
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
A flaw was found in Argo-CD. There is an issue with unauthenticated information disclosure of settings data through an exposed API endpoint at /api/v1/settings.
Package: odf4/odr-rhel9-operator (Red Hat Openshift Data Foundation 4) - Not affected
Package: openshift-gitops-1/argocd-rhel8 (Red Hat OpenShift GitOps) - Will not fix
Package: openshift-gitops-1/argocd-rhel9 (Red Hat OpenShift GitO
No detection rules found.
Nuclei
Argo CD Unauthenticated Access to sensitive setting
nuclei·CVSS 7.5
CVE-2024-37152 [HIGH] Argo CD Unauthenticated Access to sensitive setting
Argo CD Unauthenticated Access to sensitive setting
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern.
Template:
id: CVE-2024-37152
info:
name: Argo CD Unauthenticated Access to sensitive setting
author: DhiyaneshDk
severity: medium
description: |
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern.
impact: |
Unauthenticated attackers can access sensitive password patte
No writeups or analysis indexed.
https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771bhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771bhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2
2024-06-06
Published