Vulnerabilities > CVE-2020-8827 - Improper Restriction of Excessive Authentication Attempts vulnerability in Argoproj Argo CD
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://argoproj.github.io/argo-cd/operator-manual/user-management/#disable-admin-user
- https://argoproj.github.io/argo-cd/operator-manual/user-management/#disable-admin-user
- https://argoproj.github.io/argo-cd/security_considerations/
- https://argoproj.github.io/argo-cd/security_considerations/
- https://github.com/argoproj/argo/releases
- https://github.com/argoproj/argo/releases
- https://www.soluble.ai/blog/argo-cves-2020
- https://www.soluble.ai/blog/argo-cves-2020