Open maoning opened 3 months ago
I would like to work on this
Hi @redex557,
Thanks for picking up this request. Please complete the following items before the implementation:
@redex557 Is there any update on this request? If not, I will release this back to the pool.
@maoning I already wrote a plugin for Argo CD and I think you should assign this to me, this is two weeks now, and according to the rules, this AI PRP should be back in the pool now!
@maoning there is one default credential for current recent versions in here. I checked previous versions and they don't have default creds. there is only one CVE that needs to brute force the unsafe PRNG string too which is not feasible quickly. the blog post: https://web.archive.org/web/20220330042723/soluble.ai/blog/argo-cves-2020
@JamesFoxxx Thanks for providing the details, including the default credential you linked is sufficient for this weak credential tester. Could you check how to test for successful authentication for ArgoCD (is relying on network request sufficient)?
@maoning argo-cd contains a login page, we can check for successful login message.
@JamesFoxxx Please complete the following items before the implementation:
@maoning I found two additional default passwords here: https://github.com/argoproj/argo-cd/blob/dd3bb2bad44293a6d0852674d1982e9d066b6001/docs/faq.md?plain=1#L59-L64 I already wrote the plugin because it is hard to jump into argo-cd again after I wrote one plugin. I'm waiting for your confirmation to create a PR.
From: https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/abusing-argo-cd-helm-and-artifact-hub-an-analysis-of-supply-chain-attacks-in-cloud-native-applications
Please read the rules of engagement first at https://github.com/google/tsunami-security-scanner-plugins/issues/409.