8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-8828

GHSA ID

GHSA-h8jc-jmrf-9h8f

EPSS Score

0.61694%

CWE

CWE-287

Published

7/26/2021

Updated

8/7/2024

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-8828

CVE-2020-8828:
Argo CD Insecure default administrative password

In Argo CD versions 1.8.0 and prior, the default admin password is set to the argocd-server pod name. For insiders with access to the cluster or logs, this issue could be abused for privilege escalation, as Argo has privileged roles. A malicious insider is the most realistic threat, but pod names are not meant to be kept secret and could wind up just about anywhere.

Workaround:

The recommended mitigation as described in the user documentation is to use SSO integration. The default admin password should only be used for initial configuration and then disabled or at least changed to a more secure password.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-8828

GHSA ID

GHSA-h8jc-jmrf-9h8f

EPSS Score

0.61694%

CWE

CWE-287

Published

7/26/2021

Updated

8/7/2024

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/argoproj/argo-cd	go	<= 1.8.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly states the default admin password was set to the argocd-server pod name. While no exact function name is provided in the references, the core issue stems from the password initialization logic that retrieves the pod name (via Kubernetes' HOSTNAME environment variable) and uses it as the default credential. This matches CWE-1188 (insecure default initialization) and aligns with the documented mitigation requiring password changes. The confidence is high because the attack vector directly maps to this design flaw, even without seeing the exact code implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *r*o ** v*rsions *.*.* *n* prior, t** ****ult **min p*sswor* is s*t to t** *r*o**-s*rv*r po* n*m*. *or insi**rs wit* ****ss to t** *lust*r or lo*s, t*is issu* *oul* ** **us** *or privil*** *s**l*tion, *s *r*o **s privil**** rol*s. * m*li*ious insi

Reasoning

T** vuln*r**ility *xpli*itly st*t*s t** ****ult **min p*sswor* w*s s*t to t** `*r*o**-s*rv*r` po* n*m*. W*il* no *x**t `*un*tion n*m*` is provi*** in t** r***r*n**s, t** *or* issu* st*ms *rom t** p*sswor* initi*liz*tion lo*i* t**t r*tri*v*s t** po* n

8.8

Basic Information

Concerned about an active attack path?

CVE-2020-8828: Argo CD Insecure default administrative password

Workaround:

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2020-8828:
Argo CD Insecure default administrative password

Vulnerability Intelligence
Miggo AI