cbcvebase.
CVE-2024-37152
published 2024-06-06

CVE-2024-37152: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by…

PriorityP258high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.35%
81.6th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.

Affected

12 ranges
VendorProductVersion rangeFixed in
argoprojargo-cd
argoprojargo-cd
argoprojargo-cd
argoprojargo_cd>= 2.10.0 < 2.10.122.10.12
argoprojargo_cd>= 2.11.0 < 2.11.32.11.3
argoprojargo_cd>= 2.9.3 < 2.9.172.9.17
github.comargoproj_argo-cd_v2>= 2.10.0 < 2.10.122.10.12
github.comargoproj_argo-cd_v2>= 2.11.0 < 2.11.32.11.3
github.comargoproj_argo-cd_v2>= 2.9.3 < 2.9.172.9.17
github.comargoproj_argo-cd_v2_server>= 2.10.0 < 2.10.122.10.12
github.comargoproj_argo-cd_v2_server>= 2.11.0 < 2.11.32.11.3
github.comargoproj_argo-cd_v2_server>= 2.9.3 < 2.9.172.9.17

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/settings
commandGET /api/v1/settings HTTP/1.1
othershodan-query: html:"Argo CD"
  • Unauthenticated GET request to /api/v1/settings returns HTTP 200 with JSON body containing both '"passwordPattern":' and '"appLabelKey":' fields — confirms vulnerable Argo CD instance.
  • Response Content-Type of 'application/json' combined with HTTP 200 status on the unauthenticated /api/v1/settings endpoint is a strong indicator of exploitation or probing.
  • All sensitive settings are hidden in the response except 'passwordPattern', making its presence in an unauthenticated response the key detection signal.
  • ·The vulnerability is fixed in Argo CD versions 2.11.3, 2.10.12, and 2.9.17. Detection rules targeting /api/v1/settings will produce false positives on patched instances that still return JSON but no longer expose sensitive fields.
  • ·Red Hat OpenShift GitOps packages (argocd-rhel8, argocd-rhel9, gitops-operator-bundle, gitops-rhel8, gitops-rhel8-operator) are marked 'Will not fix', meaning deployments on these packages remain permanently vulnerable and should be monitored.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vendor_redhat5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.