### [CVE-2024-37152](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37152)
![](https://img.shields.io/static/v1?label=Product&message=argo-cd&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%202.10.0%2C%20%3C%202.10.12%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%202.11.0%2C%20%3C%202.11.3%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%202.9.3%2C%20%3C%202.9.17%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=2.10.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=2.11.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=2.9.3%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-287%3A%20Improper%20Authentication&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-306%3A%20Missing%20Authentication%20for%20Critical%20Function&color=brightgreen)

### Description

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by  /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/20142995/nuclei-templates