// For flags

CVE-2024-21652

Argo CD vulnerable to Bypassing of Brute Force Protection via Application Crash and In-Memory Data Loss

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.

Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. Antes de las versiones 2.8.13, 2.9.9 y 2.10.4, un atacante podía explotar una cadena de vulnerabilidades, incluida una falla de denegación de servicio (DoS) y una debilidad en el almacenamiento de datos en memoria, para evitar de manera efectiva el inicio de sesión de fuerza bruta de la aplicación. proteccion. Esta es una vulnerabilidad de seguridad crítica que permite a los atacantes eludir el mecanismo de protección de inicio de sesión de fuerza bruta. No sólo pueden bloquear el servicio y afectar a todos los usuarios, sino que también pueden realizar intentos de inicio de sesión ilimitados, lo que aumenta el riesgo de que la cuenta se vea comprometida. Las versiones 2.8.13, 2.9.9 y 2.10.4 contienen un parche para este problema.

A bypass of brute force protection flaw was found in Argo CD. Since login attempts are stored only in memory, every time the server restarts, that number is lost and unlimited login attempts can be made. It is possible to bypass brute force protections by chaining this issue with a denial of service issue, such as CVE-2024-21661.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
Poc
Automatable
Yes
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2023-12-29 CVE Reserved
  • 2024-03-18 CVE Published
  • 2024-03-19 EPSS Updated
  • 2024-08-01 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-307: Improper Restriction of Excessive Authentication Attempts
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Argoproj
Search vendor "Argoproj"
Argo-cd
Search vendor "Argoproj" for product "Argo-cd"
< 2.8.13
Search vendor "Argoproj" for product "Argo-cd" and version " < 2.8.13"
en
Affected
Argoproj
Search vendor "Argoproj"
Argo-cd
Search vendor "Argoproj" for product "Argo-cd"
>= 2.9.0 < 2.9.9
Search vendor "Argoproj" for product "Argo-cd" and version " >= 2.9.0 < 2.9.9"
en
Affected
Argoproj
Search vendor "Argoproj"
Argo-cd
Search vendor "Argoproj" for product "Argo-cd"
>= 2.10.0 < 2.10.4
Search vendor "Argoproj" for product "Argo-cd" and version " >= 2.10.0 < 2.10.4"
en
Affected