CVE-2024-21652
Argo CD vulnerable to Bypassing of Brute Force Protection via Application Crash and In-Memory Data Loss
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.
Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. Antes de las versiones 2.8.13, 2.9.9 y 2.10.4, un atacante podía explotar una cadena de vulnerabilidades, incluida una falla de denegación de servicio (DoS) y una debilidad en el almacenamiento de datos en memoria, para evitar de manera efectiva el inicio de sesión de fuerza bruta de la aplicación. proteccion. Esta es una vulnerabilidad de seguridad crítica que permite a los atacantes eludir el mecanismo de protección de inicio de sesión de fuerza bruta. No sólo pueden bloquear el servicio y afectar a todos los usuarios, sino que también pueden realizar intentos de inicio de sesión ilimitados, lo que aumenta el riesgo de que la cuenta se vea comprometida. Las versiones 2.8.13, 2.9.9 y 2.10.4 contienen un parche para este problema.
A bypass of brute force protection flaw was found in Argo CD. Since login attempts are stored only in memory, every time the server restarts, that number is lost and unlimited login attempts can be made. It is possible to bypass brute force protections by chaining this issue with a denial of service issue, such as CVE-2024-21661.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2023-12-29 CVE Reserved
- 2024-03-18 CVE Published
- 2024-03-19 EPSS Updated
- 2024-08-01 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-307: Improper Restriction of Excessive Authentication Attempts
CAPEC
References (3)
URL | Tag | Source |
---|---|---|
https://github.com/argoproj/argo-cd/security/advisories/GHSA-x32m-mvfj-52xv | X_refsource_confirm |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2024-21652 | 2024-04-10 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2270170 | 2024-04-10 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Argoproj Search vendor "Argoproj" | Argo-cd Search vendor "Argoproj" for product "Argo-cd" | < 2.8.13 Search vendor "Argoproj" for product "Argo-cd" and version " < 2.8.13" | en |
Affected
| ||||||
Argoproj Search vendor "Argoproj" | Argo-cd Search vendor "Argoproj" for product "Argo-cd" | >= 2.9.0 < 2.9.9 Search vendor "Argoproj" for product "Argo-cd" and version " >= 2.9.0 < 2.9.9" | en |
Affected
| ||||||
Argoproj Search vendor "Argoproj" | Argo-cd Search vendor "Argoproj" for product "Argo-cd" | >= 2.10.0 < 2.10.4 Search vendor "Argoproj" for product "Argo-cd" and version " >= 2.10.0 < 2.10.4" | en |
Affected
|