Vulnerabilities > Argoproj

DATE CVE VULNERABILITY TITLE RISK
2021-02-09 CVE-2021-26921 Insufficient Session Expiration vulnerability in Argoproj Argo CD
In util/session/sessionmanager.go in Argo CD before 1.8.4, tokens continue to work even when the user account is disabled.
network
low complexity
argoproj CWE-613
6.5
2020-04-09 CVE-2018-21034 Information Exposure vulnerability in Argoproj Argo CD
In Argo versions prior to v1.5.0-rc1, it was possible for authenticated Argo users to submit API calls to retrieve secrets and other manifests which were stored within git.
network
low complexity
argoproj CWE-200
6.5
2020-04-08 CVE-2020-8828 Insecure Default Initialization of Resource vulnerability in Argoproj Argo CD
As of v1.5.0, the default admin password is set to the argocd-server pod name.
network
low complexity
argoproj CWE-1188
8.8
2020-04-08 CVE-2020-8827 Improper Restriction of Excessive Authentication Attempts vulnerability in Argoproj Argo CD
As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures.
network
low complexity
argoproj CWE-307
7.5
2020-04-08 CVE-2020-8826 Session Fixation vulnerability in Argoproj Argo CD
As of v1.5.0, the Argo web interface authentication system issued immutable tokens.
network
low complexity
argoproj CWE-384
7.5
2020-04-08 CVE-2020-11576 Information Exposure Through Discrepancy vulnerability in Argoproj Argo CD 1.5.0
Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.
network
low complexity
argoproj CWE-203
5.3