CVE-2020-8827: Improper Restriction of Excessive Authentication Attempts in Argo API
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.71414%
CWE
Published
7/26/2021
Updated
8/7/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/argoproj/argo-cd | go | < 1.5.1 | 1.5.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing anti-brute-force mechanisms in authentication handling. The VerifyUsernamePassword function in sessionmanager.go was identified as vulnerable because:
- Pre-patch commit diffs show this was the core authentication validation point
- The CVE description explicitly mentions missing rate limiting in authentication flows
- The fix in PR #3404 adds Redis-backed failure tracking and delay logic to this exact function
- The original implementation returned immediate responses without tracking attempt history
- This matches the CWE-307 pattern of missing authentication attempt restrictions