Cyber Resilience

CVE-2024-37152

Medium

Published: 06 June 2024

Published
06 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.8020 99.1th percentile
Risk Priority 59 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37152 is a medium-severity Improper Authentication (CWE-287) vulnerability in Argoproj Argo Cd. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, contains an authentication bypass affecting the /api/v1/settings endpoint. The flaw permits unauthenticated access to sensitive configuration data; all fields remain masked except for passwordPattern, which is disclosed in plaintext. The issue is tracked under CWE-287 and CWE-306 and carries a CVSS 3.1 score of 5.3 reflecting network-reachable exposure without credentials.

An attacker with network access to an Argo CD instance can retrieve the exposed passwordPattern value and potentially leverage it to infer or validate password policies used by the deployment. Because the endpoint requires no authentication, the attack can be performed remotely by any party able to reach the API, resulting in limited confidentiality impact without affecting integrity or availability.

The vulnerability is resolved in Argo CD versions 2.11.3, 2.10.12, and 2.9.17. Official advisories and the accompanying commits on GitHub recommend immediate upgrade to one of the patched releases; no workarounds are documented in the referenced security notices. The EPSS score has remained at 0.8020 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12,…

more

and 2.9.17.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

argoproj
argo cd
2.9.3 — 2.9.17 · 2.10.0 — 2.10.12 · 2.11.0 — 2.11.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-287 CWE-306

Session content review can reveal authentication bypasses or failures in session establishment.

addresses: CWE-287 CWE-306

Assessments check authentication mechanisms for correct implementation and effectiveness, reducing successful authentication bypass attempts.

addresses: CWE-287 CWE-306

Documented IA policy and procedures require proper authentication mechanisms to be defined and followed, reducing improper authentication.

addresses: CWE-287 CWE-306

Requires adaptive authentication under specific conditions, directly strengthening authentication mechanisms against improper or insufficient authentication.

addresses: CWE-287 CWE-306

Identity providers centralize and enforce authentication mechanisms, reducing improper authentication.

addresses: CWE-287 CWE-306

Requires unique identification and authentication of organizational users, directly preventing improper authentication.

addresses: CWE-287 CWE-306

Enforces unique device identification and authentication before any connection is established, directly mitigating improper authentication weaknesses.

addresses: CWE-287 CWE-306

Directly requires implementation of compliant authentication mechanisms to cryptographic modules, preventing improper authentication.

References