logo

Database

Lack of protection against brute force attacks In github.com/argoproj/argo-cd/util/cache

Description

Improper Restriction of Excessive Authentication Attempts in Argo API As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.

Specific Go Packages Affected

github.com/argoproj/argo-cd/util/cache

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2020-88272. NVD-2020-88273. OSV-2020-88274. GHSA-xcqr-9h24-vrgw5. GCVE-2020-8827

References

1. https://github.com/argoproj/argo-cd/pull/33692. https://github.com/argoproj/argo-cd/pull/34043. https://github.com/argoproj/argo-cd/commit/35a7350b7444bcaf53ee0bb11b9d8e3ae4b717a14. https://argoproj.github.io/argo-cd/operator-manual/user-management/#disable-admin-user5. https://argoproj.github.io/argo-cd/security_considerations/6. https://github.com/argoproj/argo/releases7. https://www.soluble.ai/blog/argo-cves-20208. https://argoproj.github.io/argo-cd/security_considerations

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.