Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZqNTQtY2pyeC14Njk2

Moderate EPSS: 0.00247% (0.47907 Percentile) EPSS:
Permalink JSON

Observable Discrepancy in Argo

Affected Packages Affected Versions Fixed Versions
go:github.com/argoproj/argo-cd
PURL: pkg:go/github.com%2Fargoproj%2Fargo-cd
= 1.5.0 1.5.1
88 Dependent packages
31 Dependent repositories

Affected Version Ranges

All affected versions

All unaffected versions

v0.1.0, v0.2.0, v0.3.0, v0.3.1, v0.3.2, v0.3.3, v0.4.0, v0.4.1, v0.4.2, v0.4.3, v0.4.4, v0.4.5, v0.4.6, v0.4.7, v0.5.0, v0.5.1, v0.5.2, v0.5.3, v0.5.4, v0.6.0, v0.6.1, v0.6.2, v0.7.0, v0.7.1, v0.7.2, v0.8.0, v0.8.1, v0.8.2, v0.9.0, v0.9.1, v0.9.2, v0.10.0, v0.10.1, v0.10.2, v0.10.3, v0.10.4, v0.10.5, v0.10.6, v0.11.0, v0.11.1, v0.11.2, v0.12.0, v0.12.1, v0.12.2, v0.12.3, v1.0.0, v1.0.1, v1.0.2, v1.1.0, v1.1.1, v1.1.2, v1.2.0, v1.2.1, v1.2.2, v1.2.3, v1.2.4, v1.2.5, v1.3.0, v1.3.1, v1.3.2, v1.3.3, v1.3.4, v1.3.5, v1.3.6, v1.4.0, v1.4.1, v1.4.2, v1.4.3, v1.5.0, v1.5.1, v1.5.2, v1.5.3, v1.5.4, v1.5.5, v1.5.6, v1.5.7, v1.5.8, v1.6.0, v1.6.1, v1.6.2, v1.7.0, v1.7.1, v1.7.2, v1.7.3, v1.7.4, v1.7.5, v1.7.6, v1.7.7, v1.7.8, v1.7.9, v1.7.10, v1.7.11, v1.7.12, v1.7.13, v1.7.14, v1.8.0, v1.8.1, v1.8.2, v1.8.3, v1.8.4, v1.8.5, v1.8.6, v1.8.7

Fixed in v1.5.1, Argo version v1.5.0 was vulnerable to a user-enumeration vulnerability which allowed attackers to determine the usernames of valid (non-SSO) accounts because /api/v1/session returned 401 for an existing username and 404 otherwise.

Specific Go Packages Affected

github.com/argoproj/argo-cd/util/session
github.com/argoproj/argo-cd/server/session

References:

Identifiers

GHSA-vj54-cjrx-x696

CVE-2020-11576

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00247

EPSS Percentile: 0.47907

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/argoproj/argo-cd

Date and time

Published

almost 4 years ago

Updated

about 2 years ago

API

JSON