All versions of Argo CD starting with v0.5.0 are vulnerable to an information disclosure bug allowing unauthorized users to enumerate application names by inspecting API error messages. An attacker could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges (social engineering).
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.8 Via RHSA-2023:1452 https://access.redhat.com/errata/RHSA-2023:1452
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.6 Via RHSA-2023:1453 https://access.redhat.com/errata/RHSA-2023:1453
This issue has been addressed in the following products: Red Hat OpenShift GitOps 1.7 Via RHSA-2023:1454 https://access.redhat.com/errata/RHSA-2023:1454
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-41354