CVE-2024-29893 – Uncontrolled Resource Consumption vulnerability in ArgoCD's repo server
https://notcve.org/view.php?id=CVE-2024-29893
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD's helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. • https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59 https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3 https://access.redhat.com/security/cve/CVE-2024-29893 https://bugzilla.redhat.com/show_bug.cgi?id=2272211 • CWE-400: Uncontrolled Resource Consumption •
CVE-2024-21662 – Argo CD vulnerable to Bypassing of Rate Limit and Brute Force Protection Using Cache Overflow
https://notcve.org/view.php?id=CVE-2024-21662
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a patch for CVE-2020-8827 intended to protect against brute-force attacks. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. • https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456 https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454 https://access.redhat.com/security/cve/CVE-2024-21662 https://bugzilla.redhat.com/sh • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVE-2024-21661 – Argo CD Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment
https://notcve.org/view.php?id=CVE-2024-21661
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment. The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. • https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311 https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345 https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208 https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8b https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7 https://access.redhat.com/security/cve/CVE-2024-21661 https://bugzilla.redhat.com/show_bug. • CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context CWE-787: Out-of-bounds Write •
CVE-2024-21652 – Argo CD vulnerable to Bypassing of Brute Force Protection via Application Crash and In-Memory Data Loss
https://notcve.org/view.php?id=CVE-2024-21652
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue. • https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv https://access.redhat.com/security/cve/CVE-2024-21652 https://bugzilla.redhat.com/show_bug.cgi?id=2270170 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVE-2023-50726 – Users with `create` but not `override` privileges can perform local sync in argo-cd
https://notcve.org/view.php?id=CVE-2023-50726
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git. An improper validation bug allows users who have `create` privileges but not `override` privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. • https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978 https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm https://access.redhat.com/security/cve/CVE-2023-50726 https://bugzilla.redhat.com/show_bug.cgi?id=2269479 • CWE-269: Improper Privilege Management •