CVE-2020-8826 - OpenCVE

As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration—there was no refresh or forced re-authentication.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Linuxfoundation	Argo Continuous Delivery

Configuration 1 [-]

cpe:2.3:a:linuxfoundation:argo_continuous_delivery:*:*:*:*:*:kubernetes:*:*

References

Link	Resource
https://argoproj.github.io/argo-cd/security_considerations/	Vendor Advisory
https://github.com/argoproj/argo/releases	Third Party Advisory
https://www.soluble.ai/blog/argo-cves-2020	Exploit Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-04-08T19:38:54

Updated: 2020-04-08T19:38:54

Reserved: 2020-02-10T00:00:00

Link: CVE-2020-8826

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-04-08T20:15:14.653

Modified: 2020-04-14T16:07:11.947

Link: CVE-2020-8826

JSON object: View

Redhat Information

No data.

CWE

CWE-384

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration\u2014there was no refresh or forced re-authentication."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-04-08T19:38:54", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/argoproj/argo/releases"}, {"tags": ["x_refsource_MISC"], "url": "https://www.soluble.ai/blog/argo-cves-2020"}, {"tags": ["x_refsource_MISC"], "url": "https://argoproj.github.io/argo-cd/security_considerations/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-8826", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration\u2014there was no refresh or forced re-authentication."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/argoproj/argo/releases", "refsource": "MISC", "url": "https://github.com/argoproj/argo/releases"}, {"name": "https://www.soluble.ai/blog/argo-cves-2020", "refsource": "MISC", "url": "https://www.soluble.ai/blog/argo-cves-2020"}, {"name": "https://argoproj.github.io/argo-cd/security_considerations/", "refsource": "MISC", "url": "https://argoproj.github.io/argo-cd/security_considerations/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-8826", "datePublished": "2020-04-08T19:38:54", "dateReserved": "2020-02-10T00:00:00", "dateUpdated": "2020-04-08T19:38:54", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:argo_continuous_delivery:*:*:*:*:*:kubernetes:*:*", "matchCriteriaId": "3D2CD249-FE04-4C57-9580-9E2DB14EB393", "versionEndIncluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration\u2014there was no refresh or forced re-authentication."}, {"lang": "es", "value": "A partir de la versi\u00f3n v1.5.0, el sistema de autenticaci\u00f3n de la interfaz web de Argo emiti\u00f3 tokens inmutables. Los tokens de autenticaci\u00f3n, una vez emitidos, fueron usables para siempre sin caducidad: no exist\u00eda actualizaci\u00f3n ni reautenticaci\u00f3n forzada."}], "id": "CVE-2020-8826", "lastModified": "2020-04-14T16:07:11.947", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-08T20:15:14.653", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://argoproj.github.io/argo-cd/security_considerations/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/argoproj/argo/releases"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.soluble.ai/blog/argo-cves-2020"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-384"}], "source": "nvd@nist.gov", "type": "Primary"}]}