Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-36106

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.

Published

2024-06-06T15:15:45.023

Last Modified

2024-11-21T09:21:37.303

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-209
Type: Primary
CWE-209

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	argoproj	argo_cd	< 2.9.17	Yes
Application	argoproj	argo_cd	< 2.10.12	Yes
Application	argoproj	argo_cd	< 2.11.3	Yes

References

https://github.com/argoproj/argo-cd/commit/c2647055c261a550e5da075793260f6524e65ad9 Patch ([email protected])
https://github.com/argoproj/argo-cd/security/advisories/GHSA-3cqf-953p-h5cp Vendor Advisory ([email protected])
https://github.com/argoproj/argo-cd/commit/c2647055c261a550e5da075793260f6524e65ad9 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/argoproj/argo-cd/security/advisories/GHSA-3cqf-953p-h5cp Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)