Vulnerabilities > CVE-2020-11576 - Information Exposure Through Discrepancy vulnerability in Argoproj Argo CD 1.5.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
NONE Availability impact
NONE Summary
Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
References
- https://github.com/argoproj/argo-cd/commit/35a7350b7444bcaf53ee0bb11b9d8e3ae4b717a1
- https://github.com/argoproj/argo-cd/pull/3215
- https://www.soluble.ai/blog/argo-cves-2020
- https://github.com/argoproj/argo-cd/commit/35a7350b7444bcaf53ee0bb11b9d8e3ae4b717a1
- https://www.soluble.ai/blog/argo-cves-2020
- https://github.com/argoproj/argo-cd/pull/3215