Argo CD Information Disclosure (CVE-2024-37152)
Description
Argo CD, a declarative GitOps continuous delivery tool for Kubernetes, contains an information disclosure vulnerability (CVE-2024-37152) that allows unauthenticated remote attackers to access sensitive configuration settings. This vulnerability exposes internal system information that should be restricted to authenticated users, potentially revealing deployment configurations, repository details, or other sensitive operational data.
Remediation
Immediately upgrade Argo CD to a patched version that addresses CVE-2024-37152. Consult the official GitHub Security Advisory (GHSA-87p9-x75h-p4j2) for specific version requirements and upgrade instructions. After upgrading, review access logs for any suspicious unauthenticated access attempts to sensitive endpoints. Additionally, implement network-level access controls to restrict Argo CD access to trusted networks or users, and ensure that sensitive configuration data is properly protected through role-based access control (RBAC) policies. Verify that all instances of Argo CD in your environment have been updated and conduct a security assessment to determine if any sensitive information was accessed prior to patching.