{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-41354", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T12:42:45.688Z", "dateReserved": "2022-09-26T00:00:00", "datePublished": "2023-03-27T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-03-27T00:00:00"}, "descriptions": [{"lang": "en", "value": "An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://argo.com"}, {"url": "https://github.com/chunklhit/cve/blob/master/argo/argo-cd/application_enumeration.md"}, {"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2q5c-qw9c-fmvq"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T12:42:45.688Z"}, "title": "CVE Program Container", "references": [{"url": "http://argo.com", "tags": ["x_transferred"]}, {"url": "https://github.com/chunklhit/cve/blob/master/argo/argo-cd/application_enumeration.md", "tags": ["x_transferred"]}, {"url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2q5c-qw9c-fmvq", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*", "matchCriteriaId": "21D5448A-EB02-4357-9723-20F8EF1962E9", "versionEndExcluding": "2.4.28", "versionStartIncluding": "0.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A532628-AB91-4EC1-9FCB-9172F5CECC0E", "versionEndExcluding": "2.5.16", "versionStartIncluding": "2.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:linuxfoundation:argo-cd:*:*:*:*:*:*:*:*", "matchCriteriaId": "8B951D1A-7B21-43E5-B715-138F9F4DCA37", "versionEndExcluding": "2.6.7", "versionStartIncluding": "2.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications."}], "id": "CVE-2022-41354", "lastModified": "2023-04-03T17:02:16.910", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-27T14:15:07.557", "references": [{"source": "cve@mitre.org", "tags": ["Product"], "url": "http://argo.com"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://github.com/argoproj/argo-cd/security/advisories/GHSA-2q5c-qw9c-fmvq"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "https://github.com/chunklhit/cve/blob/master/argo/argo-cd/application_enumeration.md"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:1453", "cpe": "cpe:/a:redhat:openshift_gitops:1.6::el8", "package": "openshift-gitops-1/argocd-rhel8:v1.6.6-1", "product_name": "Red Hat OpenShift GitOps 1.6", "release_date": "2023-03-23T00:00:00Z"}, {"advisory": "RHSA-2023:1454", "cpe": "cpe:/a:redhat:openshift_gitops:1.7::el8", "package": "openshift-gitops-1/argocd-rhel8:v1.7.3-4", "product_name": "Red Hat OpenShift GitOps 1.7", "release_date": "2023-03-23T00:00:00Z"}, {"advisory": "RHSA-2023:1452", "cpe": "cpe:/a:redhat:openshift_gitops:1.8::el8", "package": "openshift-gitops-1/argocd-rhel8:v1.8.1-1", "product_name": "Red Hat OpenShift GitOps 1.8", "release_date": "2023-03-23T00:00:00Z"}], "bugzilla": {"description": "ArgoCD: Authenticated but unauthorized users may enumerate Application names via the API", "id": "2167820", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2167820"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "details": ["An access control issue in Argo CD v2.4.12 and below allows unauthenticated attackers to enumerate existing applications.", "An information disclosure flaw was found in Argo CD. This issue may allow unauthorized users to enumerate application names by inspecting API error messages and could use the discovered application names as the starting point of another attack. For example, the attacker might use their knowledge of an application name to convince an administrator to grant higher privileges."], "name": "CVE-2022-41354", "public_date": "2023-03-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-41354\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-41354\nhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-2q5c-qw9c-fmvq"], "threat_severity": "Moderate"}