CVE-2022-31016

Argo CD vulnerable to Uncontrolled Memory Consumption

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.

Argo CD es un despliegue continuo declarativo para Kubernetes. Argo CD versiones v0.7.0 y posteriores, son vulnerables a un error de consumo de memoria no controlado, lo que permite a un usuario malicioso autorizado bloquear el servicio de repo-servidor, resultando en una denegación de servicio. El atacante debe ser un usuario autenticado de Argo CD autorizado a desplegar Aplicaciones desde un repositorio que contenga (o pueda hacerse que contenga) un archivo grande. La corrección de esta vulnerabilidad está disponible en versiones 2.3.5, 2.2.10, 2.1.16 y posteriores. No se presentan mitigaciones conocidas. Es recomendado a usuarios actualizar

A flaw was found in ArgoCD, which is vulnerable to an uncontrolled memory consumption bug. A crafted manifest file can lead the ArgoCD's repo-server component to crash, causing a denial of service. The attacker must be an authenticated user to exploit this vulnerability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-05-18 CVE Reserved
2022-06-22 CVE Published
2024-01-16 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwq	2023-07-21

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2022-31016	2022-06-24
https://bugzilla.redhat.com/show_bug.cgi?id=2096283	2022-06-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linuxfoundation Search vendor "Linuxfoundation"		Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd"				>= 0.7.0 < 2.1.16 Search vendor "Linuxfoundation" for product "Argo-cd" and version " >= 0.7.0 < 2.1.16"		-		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd"				>= 2.2.0 < 2.2.10 Search vendor "Linuxfoundation" for product "Argo-cd" and version " >= 2.2.0 < 2.2.10"		-		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd"				>= 2.3.0 < 2.3.5 Search vendor "Linuxfoundation" for product "Argo-cd" and version " >= 2.3.0 < 2.3.5"		-		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Argo-cd Search vendor "Linuxfoundation" for product "Argo-cd"				>= 2.4.0 < 2.4.1 Search vendor "Linuxfoundation" for product "Argo-cd" and version " >= 2.4.0 < 2.4.1"		-		Affected