Improper Restriction of Excessive Authentication Attempts in Argo API
High severity
GitHub Reviewed
Published
Jul 26, 2021
to the GitHub Advisory Database
•
Updated Aug 7, 2024
Description
Published by the National Vulnerability Database
Apr 8, 2020
Reviewed
Jul 26, 2021
Published to the GitHub Advisory Database
Jul 26, 2021
Last updated
Aug 7, 2024
As of v1.5.0, the Argo API does not implement anti-automation measures such as rate limiting, account lockouts, or other anti-bruteforce measures. Attackers can submit an unlimited number of authentication attempts without consequence.
Specific Go Packages Affected
github.com/argoproj/argo-cd/util/cache
References