Argo CD Insecure default administrative password
High severity
GitHub Reviewed
Published
Jul 26, 2021
to the GitHub Advisory Database
•
Updated Aug 7, 2024
Description
Published by the National Vulnerability Database
Apr 8, 2020
Reviewed
Jul 26, 2021
Published to the GitHub Advisory Database
Jul 26, 2021
Last updated
Aug 7, 2024
In Argo CD versions 1.8.0 and prior, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere.
Workaround:
The recommended mitigation as described in the user documentation is to use SSO integration. The default admin password should only be used for initial configuration and then disabled or at least changed to a more secure password.
References