CVE-2024-47827 – Argo Workflows Controller: Denial of Service via malicious daemon Workflows
https://notcve.org/view.php?id=CVE-2024-47827
Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Due to a race condition in a global variable in 3.6.0-rc1, the argo workflows controller can be made to crash on-command by any user with access to execute a workflow. This vulnerability is fixed in 3.6.0-rc2. • https://github.com/argoproj/argo-workflows/blob/ce7f9bfb9b45f009b3e85fabe5e6410de23c7c5f/workflow/metrics/metrics_k8s_request.go#L75 https://github.com/argoproj/argo-workflows/commit/524406451f4dfa57bf3371fb85becdb56a2b309a https://github.com/argoproj/argo-workflows/pull/13641 https://github.com/argoproj/argo-workflows/security/advisories/GHSA-ghjw-32xw-ffwr • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-1108: Excessive Reliance on Global Variables •
CVE-2024-41666 – The Argo CD web terminal session does not handle the revocation of user permissions properly.
https://notcve.org/view.php?id=CVE-2024-41666
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD has a Web-based terminal that allows users to get a shell inside a running pod, just as they would with kubectl exec. Starting in version 2.6.0, when the administrator enables this function and grants permission to the user `p, role:myrole, exec, create, */*, allow`, even if the user revokes this permission, the user can still perform operations in the container, as long as the user keeps the terminal view open for a long time. Although the token expiration and revocation of the user are fixed, however, the fix does not address the situation of revocation of only user `p, role:myrole, exec, create, */*, allow` permissions, which may still lead to the leakage of sensitive information. A patch for this vulnerability has been released in Argo CD versions 2.11.7, 2.10.16, and 2.9.21. • https://drive.google.com/file/d/1Fynj5Sho8Lf8CETqsNXZyPKlTDdmgJuN/view?usp=sharing https://github.com/argoproj/argo-cd/commit/05edb2a9ca48f0f10608c1b49fbb0cf7164f6476 https://github.com/argoproj/argo-cd/commit/e96f32d233504101ddac028a5bf8117433d333d6 https://github.com/argoproj/argo-cd/commit/ef535230d8bd8ad7b18aab1ea1063e9751d348c4 https://github.com/argoproj/argo-cd/security/advisories/GHSA-v8wx-v5jq-qhhw • CWE-269: Improper Privilege Management •
CVE-2024-40634 – Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint
https://notcve.org/view.php?id=CVE-2024-40634
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20. Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. • https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36 https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w https://access.redhat.com/security/cve/CVE-2024-40634 https://bugzilla.redhat.com/show_bug.cgi?id=2299473 • CWE-400: Uncontrolled Resource Consumption •
CVE-2024-37152 – Unauthenticated Access to sensitive settings in Argo CD
https://notcve.org/view.php?id=CVE-2024-37152
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17. Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. • https://github.com/argoproj/argo-cd/commit/256d90178b11b04bc8174d08d7b663a2a7b1771b https://github.com/argoproj/argo-cd/security/advisories/GHSA-87p9-x75h-p4j2 • CWE-287: Improper Authentication CWE-306: Missing Authentication for Critical Function •
CVE-2024-36106 – Argo CD allows authenticated users to enumerate clusters by name
https://notcve.org/view.php?id=CVE-2024-36106
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17. Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. • https://github.com/argoproj/argo-cd/commit/c2647055c261a550e5da075793260f6524e65ad9 https://github.com/argoproj/argo-cd/security/advisories/GHSA-3cqf-953p-h5cp • CWE-209: Generation of Error Message Containing Sensitive Information •