CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-32476 – Denial of Service via malicious jqPathExpressions in ignoreDifferences
https://notcve.org/view.php?id=CVE-2024-32476
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16. Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. Existe una vulnerabilidad de denegación de servicio (DoS) a través de OOM usando jq en ignoreDifferences. • https://github.com/argoproj/argo-cd/commit/7893979a1e78d59cedd0ba790ded24e30bb40657 https://github.com/argoproj/argo-cd/commit/9e5cc5a26ff0920a01816231d59fdb5eae032b5a https://github.com/argoproj/argo-cd/commit/e2df7315fb7d96652186bf7435773a27be330cac https://github.com/argoproj/argo-cd/security/advisories/GHSA-9m6p-x4h2-6frq • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-31990 – Argo CD' API server does not enforce project sourceNamespaces
https://notcve.org/view.php?id=CVE-2024-31990
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16. Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. El servidor API no aplica los espacios de nombres de origen del proyecto, lo que permite a los atacantes usar la interfaz de usuario para editar recursos que solo deberían poder modificarse a través de gitops. • https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5 https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17 https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c https://access.redhat.com/security/cve/CVE-2024-31990 https://bugzilla.redhat.com/show_bug.cgi?id=2275189 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-29893 – Uncontrolled Resource Consumption vulnerability in ArgoCD's repo server
https://notcve.org/view.php?id=CVE-2024-29893
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD's helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. • https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59 https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3 https://access.redhat.com/security/cve/CVE-2024-29893 https://bugzilla.redhat.com/show_bug.cgi?id=2272211 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-21662 – Argo CD vulnerable to Bypassing of Rate Limit and Brute Force Protection Using Cache Overflow
https://notcve.org/view.php?id=CVE-2024-21662
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a patch for CVE-2020-8827 intended to protect against brute-force attacks. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. • https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force https://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4d https://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7b https://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456 https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454 https://access.redhat.com/security/cve/CVE-2024-21662 https://bugzilla.redhat.com/sh • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-21661 – Argo CD Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment
https://notcve.org/view.php?id=CVE-2024-21661
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment. The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. • https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311 https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345 https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208 https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8b https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7 https://access.redhat.com/security/cve/CVE-2024-21661 https://bugzilla.redhat.com/show_bug. • CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context CWE-787: Out-of-bounds Write •