Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg4amMtam1yZi05aDhm
Argo CD Insecure default administrative password
In Argo CD versions 1.8.0 and prior, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere.
Workaround:
The recommended mitigation as described in the user documentation is to use SSO integration. The default admin password should only be used for initial configuration and then disabled or at least changed to a more secure password.
Permalink: https://github.com/advisories/GHSA-h8jc-jmrf-9h8fJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg4amMtam1yZi05aDhm
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: 7 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-h8jc-jmrf-9h8f, CVE-2020-8828
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-8828
- https://argoproj.github.io/argo-cd/security_considerations/
- https://github.com/argoproj/argo/releases
- https://www.soluble.ai/blog/argo-cves-2020
- https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8828-insecure-default-administrative-password
- https://github.com/argoproj/argo-cd/blob/129cf5370f9e2c6f99c9a5515099250a7ba42099/docs/security_considerations.md#cve-2020-8828---insecure-default-administrative-password
- https://github.com/advisories/GHSA-h8jc-jmrf-9h8f
Blast Radius: 13.1
Affected Packages
go:github.com/argoproj/argo-cd
Dependent packages: 77Dependent repositories: 31
Downloads:
Affected Version Ranges: <= 1.8.0
No known fixed version
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.7.2, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.9.1, 0.9.2, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.10.5, 0.10.6, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 1.0.0, 1.0.1, 1.0.2, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.5.7, 1.5.8, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 1.7.12, 1.7.13, 1.7.14, 1.8.0