2292311 – (CVE-2024-36106) CVE-2024-36106 argo-cd: Error messages contain sensitive information

Bug 2292311 (CVE-2024-36106) - CVE-2024-36106 argo-cd: Error messages contain sensitive information

Summary: CVE-2024-36106 argo-cd: Error messages contain sensitive information

Keywords:
Status:	NEW
Alias:	CVE-2024-36106
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2292312
Blocks:	2292314
TreeView+	depends on / blocked

Reported:	2024-06-14 02:55 UTC by Pedro Sampaio
Modified:	2025-04-18 08:27 UTC (History)
CC List:	4 users (show)
Fixed In Version:	argo-cd 2.11.3, argo-cd 2.10.12, argo-cd 2.9.17
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2024-06-14 02:55:01 UTC

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.

References:

https://github.com/argoproj/argo-cd/commit/c2647055c261a550e5da075793260f6524e65ad9
https://github.com/argoproj/argo-cd/security/advisories/GHSA-3cqf-953p-h5cp

Note You need to log in before you can comment on or make changes to this bug.