CVE-2024-21652 – Argo CD vulnerable to Bypassing of Brute Force Protection via Application Crash and In-Memory Data Loss
https://notcve.org/view.php?id=CVE-2024-21652
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue. • https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv https://access.redhat.com/security/cve/CVE-2024-21652 https://bugzilla.redhat.com/show_bug.cgi?id=2270170 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVE-2023-50726 – Users with `create` but not `override` privileges can perform local sync in argo-cd
https://notcve.org/view.php?id=CVE-2023-50726
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. "Local sync" is an Argo CD feature that allows developers to temporarily override an Application's manifests with locally-defined manifests. Use of the feature should generally be limited to highly-trusted users, since it allows the user to bypass any merge protections in git. An improper validation bug allows users who have `create` privileges but not `override` privileges to sync local manifests on app creation. All other restrictions, including AppProject restrictions are still enforced. • https://argo-cd.readthedocs.io/en/latest/operator-manual/rbac https://github.com/argoproj/argo-cd/commit/3b8f673f06c2d228e01cbc830e5cb57cef008978 https://github.com/argoproj/argo-cd/security/advisories/GHSA-g623-jcgg-mhmm https://access.redhat.com/security/cve/CVE-2023-50726 https://bugzilla.redhat.com/show_bug.cgi?id=2269479 • CWE-269: Improper Privilege Management •
CVE-2024-28175 – Cross-site scripting on application summary component in argo-cd
https://notcve.org/view.php?id=CVE-2024-28175
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. • https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71 https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387 https://access.redhat.com/security/cve/CVE-2024-28175 https://bugzilla.redhat.com/show_bug.cgi?id=2268518 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-22424 – Cross-Site Request Forgery (CSRF) in github.com/argoproj/argo-cd
https://notcve.org/view.php?id=CVE-2024-22424
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The Argo CD API prior to versions 2.10-rc2, 2.9.4, 2.8.8, and 2.7.15 are vulnerable to a cross-server request forgery (CSRF) attack when the attacker has the ability to write HTML to a page on the same parent domain as Argo CD. A CSRF attack works by tricking an authenticated Argo CD user into loading a web page which contains code to call Argo CD API endpoints on the victim’s behalf. For example, an attacker could send an Argo CD user a link to a page which looks harmless but in the background calls an Argo CD API endpoint to create an application running malicious code. Argo CD uses the “Lax” SameSite cookie policy to prevent CSRF attacks where the attacker controls an external domain. • https://github.com/argoproj/argo-cd/issues/2496 https://github.com/argoproj/argo-cd/pull/16860 https://github.com/argoproj/argo-cd/security/advisories/GHSA-92mw-q256-5vwg https://access.redhat.com/security/cve/CVE-2024-22424 https://bugzilla.redhat.com/show_bug.cgi?id=2259105 • CWE-352: Cross-Site Request Forgery (CSRF) •