Homepage
About Snyk

Insecure Defaults Affecting github.com/argoproj/argo-cd/v2/util/settings package, versions <1.8.0

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.43% (76th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMARGOPROJARGOCDV2UTILSETTINGS-1533597
  • published 27 Jul 2021
  • disclosed 26 Jul 2021
  • credit Matt Hamilton
Report a new vulnerability Found a mistake?

Introduced: 26 Jul 2021

CVE-2020-8828 Open this link in a new tab
CWE-453 Open this link in a new tab

How to fix?

Upgrade github.com/argoproj/argo-cd/v2/util/settings to version 1.8.0 or higher.

Overview

github.com/argoproj/argo-cd/v2/util/settings is a Declarative continuous deployment for Kubernetes.

Affected versions of this package are vulnerable to Insecure Defaults. Argo CD uses the argocd-server pod name as the default admin password. Kubernetes users able to list pods in the argo namespace are able to retrieve the default password.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
8.8 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    High
Expand this section

NVD

8.8 high