CVE-2022-41354

Name of the Vulnerable Software and Affected Versions Argo CD versions 0.5.0 through 2.4.12 Argo CD versions 2.5.0 through 2.5.15 Argo CD versions 2.6.0 through 2.6.6

Description An access control issue in Argo CD allows unauthorized users to enumerate existing applications by inspecting API error messages. This could be used as a starting point for further attacks, such as social engineering to gain higher privileges. Many Argo CD API endpoints accept an application name as a parameter, and by trial and error, an attacker can infer which applications exist and which do not. The issue affects all versions of Argo CD starting with v0.5.0.

Recommendations For Argo CD versions 0.5.0 through 2.4.12, upgrade to version 2.4.28 or later. For Argo CD versions 2.5.0 through 2.5.15, upgrade to version 2.5.16 or later. For Argo CD versions 2.6.0 through 2.6.6, upgrade to version 2.6.7 or later. As a general precaution, review API client code to ensure it can handle the changed API behavior properly, which now returns "unauthorized" for both missing applications and unauthorized access.