GHSA-h8jc-jmrf-9h8f

Suggest an improvement
Source
https://github.com/advisories/GHSA-h8jc-jmrf-9h8f
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-h8jc-jmrf-9h8f/GHSA-h8jc-jmrf-9h8f.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-h8jc-jmrf-9h8f
Aliases
Published
2021-07-26T21:19:27Z
Modified
2024-08-07T19:44:16Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Argo CD Insecure default administrative password
Details

In Argo CD versions 1.8.0 and prior, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere.

Workaround:

The recommended mitigation as described in the user documentation is to use SSO integration. The default admin password should only be used for initial configuration and then disabled or at least changed to a more secure password.

Database specific 
{
    "nvd_published_at": "2020-04-08T20:15:00Z",
    "cwe_ids": [
        "CWE-1188",
        "CWE-287"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-26T21:14:45Z"
}
References

Affected packages

Go / github.com/argoproj/argo-cd

Package

Name
github.com/argoproj/argo-cd
View open source insights on deps.dev
Purl
pkg:golang/github.com/argoproj/argo-cd

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.8.0