CVE-2024-21662 – Argo CD vulnerable to Bypassing of Rate Limit and Brute Force Protection Using Cache Overflow
https://notcve.org/view.php?id=CVE-2024-21662
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a patch for CVE-2020-8827 intended to protect against brute-force attacks. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. • https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456 https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454 https://access.redhat.com/security/cve/CVE-2024-21662 https://bugzilla.redhat.com/sh • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVE-2024-21661 – Argo CD Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment
https://notcve.org/view.php?id=CVE-2024-21661
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment. The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. • https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311 https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345 https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208 https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8b https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7 https://access.redhat.com/security/cve/CVE-2024-21661 https://bugzilla.redhat.com/show_bug. • CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context CWE-787: Out-of-bounds Write •
CVE-2024-21652 – Argo CD vulnerable to Bypassing of Brute Force Protection via Application Crash and In-Memory Data Loss
https://notcve.org/view.php?id=CVE-2024-21652
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue. • https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv https://access.redhat.com/security/cve/CVE-2024-21652 https://bugzilla.redhat.com/show_bug.cgi?id=2270170 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVE-2023-50726 – Users with `create` but not `override` privileges can perform local sync in argo-cd
https://notcve.org/view.php?id=CVE-2023-50726
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git. An improper validation bug allows users who have `create` privileges but not `override` privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. • https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978 https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm https://access.redhat.com/security/cve/CVE-2023-50726 https://bugzilla.redhat.com/show_bug.cgi?id=2269479 • CWE-269: Improper Privilege Management •
CVE-2024-28175 – Cross-site scripting on application summary component in argo-cd
https://notcve.org/view.php?id=CVE-2024-28175
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. • https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71 https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387 https://access.redhat.com/security/cve/CVE-2024-28175 https://bugzilla.redhat.com/show_bug.cgi?id=2268518 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •