CVE-2020-8826

{"id": "CVE-2020-8826", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2020-04-08T20:15:14.653", "references": [{"url": "https://argoproj.github.io/argo-cd/security_considerations/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/argoproj/argo/releases", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.soluble.ai/blog/argo-cves-2020", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-384"}]}], "descriptions": [{"lang": "en", "value": "As of v1.5.0, the Argo web interface authentication system issued immutable tokens. Authentication tokens, once issued, were usable forever without expiration\u2014there was no refresh or forced re-authentication."}, {"lang": "es", "value": "A partir de la versi\u00f3n v1.5.0, el sistema de autenticaci\u00f3n de la interfaz web de Argo emiti\u00f3 tokens inmutables. Los tokens de autenticaci\u00f3n, una vez emitidos, fueron usables para siempre sin caducidad: no exist\u00eda actualizaci\u00f3n ni reautenticaci\u00f3n forzada."}], "lastModified": "2020-04-14T16:07:11.947", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linuxfoundation:argo_continuous_delivery:*:*:*:*:*:kubernetes:*:*", "vulnerable": true, "matchCriteriaId": "3D2CD249-FE04-4C57-9580-9E2DB14EB393", "versionEndIncluding": "1.5.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}