CVE-2020-8828

Name of the Vulnerable Software and Affected Versions Argo CD versions 1.5.0 through 1.8.0

Description The default admin password is set to the argocd-server pod name, which could be abused for privilege escalation by insiders with access to the cluster or logs, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere.

Recommendations For versions 1.5.0 through 1.8.0, use SSO integration as a mitigation measure. The default admin password should only be used for initial configuration and then disabled or at least changed to a more secure password. Consider disabling the default admin user or changing its password to minimize the risk of exploitation.