20 results (0.008 seconds)

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20. Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. • https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36 https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w https://access.redhat.com/security/cve/CVE-2024-40634 https://bugzilla.redhat.com/show_bug.cgi?id=2299473 • CWE-400: Uncontrolled Resource Consumption •

CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 0

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17. Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. • https://github.com/argoproj/argo-cd/commit/c2647055c261a550e5da075793260f6524e65ad9 https://github.com/argoproj/argo-cd/security/advisories/GHSA-3cqf-953p-h5cp • CWE-209: Generation of Error Message Containing Sensitive Information •

CVSS: 9.6EPSS: 0%CPEs: 5EXPL: 1

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. • https://github.com/vt0x78/CVE-2024-31989 https://github.com/argoproj/argo-cd/commit/2de0ceade243039c120c28374016c04ff9590d1d https://github.com/argoproj/argo-cd/commit/35a7d6c7fa1534aceba763d6a68697f36c12e678 https://github.com/argoproj/argo-cd/commit/4e2fe302c3352a0012ecbe7f03476b0e07f7fc6c https://github.com/argoproj/argo-cd/commit/53570cbd143bced49d4376d6e31bd9c7bd2659ff https://github.com/argoproj/argo-cd/commit/6ef7b62a0f67e74b4aac2aee31c98ae49dd95d12 https://github.com/argoproj/argo-cd/commit/9552034a80070a93a161bfa330359585f3b85f07 https://github.com&#x • CWE-327: Use of a Broken or Risky Cryptographic Algorithm CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation •

CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16. Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. El servidor API no aplica los espacios de nombres de origen del proyecto, lo que permite a los atacantes usar la interfaz de usuario para editar recursos que solo deberían poder modificarse a través de gitops. • https://github.com/argoproj/argo-cd/commit/c514105af739eebedb9dbe89d8a6dd8dfc30bb2c https://github.com/argoproj/argo-cd/commit/c5a252c4cc260e240e2074794aedb861d07e9ca5 https://github.com/argoproj/argo-cd/commit/e0ff56d89fbd7d066e9c862b30337f6520f13f17 https://github.com/argoproj/argo-cd/security/advisories/GHSA-2gvw-w6fj-7m3c https://access.redhat.com/security/cve/CVE-2024-31990 https://bugzilla.redhat.com/show_bug.cgi?id=2275189 • CWE-863: Incorrect Authorization •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The loadRepoIndex() function in the ArgoCD's helm package, does not limit the size nor time while fetching the data. It fetches it and creates a byte slice from the retrieved data in one go. • https://github.com/argoproj/argo-cd/commit/14f681e3ee7c38731943b98f92277e88a3db109d https://github.com/argoproj/argo-cd/commit/36b8a12a38f8d92d55bffc81deed44389bf6eb59 https://github.com/argoproj/argo-cd/commit/3e5a878f6e30d935fa149723ea2a2e93748fcddd https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhwx-mhww-rgc3 https://access.redhat.com/security/cve/CVE-2024-29893 https://bugzilla.redhat.com/show_bug.cgi?id=2272211 • CWE-400: Uncontrolled Resource Consumption •