Search
Total
3 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8827 | 1 Linuxfoundation | 1 Argo Continuous Delivery | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence. | |||||
| CVE-2020-8828 | 1 Linuxfoundation | 1 Argo Continuous Delivery | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| As of v1.5.0, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere. | |||||
| CVE-2020-8826 | 1 Linuxfoundation | 1 Argo Continuous Delivery | 2020-04-10 | 5.0 MEDIUM | 7.5 HIGH |
| As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication. | |||||