CVE-2024-21661

Argo CD Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment. The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes. This is a Denial of Service (DoS) vulnerability. Any attacker can crash the application continuously, making it impossible for legitimate users to access the service. The issue is exacerbated because it does not require authentication, widening the pool of potential attackers. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.

Argo CD es una herramienta declarativa de entrega continua de GitOps para Kubernetes. Antes de las versiones 2.8.13, 2.9.9 y 2.10.4, un atacante podía explotar una falla crítica en la aplicación para iniciar un ataque de denegación de servicio (DoS), dejando la aplicación inoperable y afectando a todos los usuarios. El problema surge de la manipulación insegura de una matriz en un entorno de subprocesos múltiples. La vulnerabilidad tiene su origen en el código de la aplicación, donde se modifica una matriz mientras se itera sobre ella. Este es un error de programación clásico, pero se vuelve críticamente inseguro cuando se ejecuta en un entorno de subprocesos múltiples. Cuando dos subprocesos interactúan con la misma matriz simultáneamente, la aplicación falla. Esta es una vulnerabilidad de denegación de servicio (DoS). Cualquier atacante puede bloquear la aplicación continuamente, imposibilitando que los usuarios legítimos accedan al servicio. El problema se agrava porque no requiere autenticación, lo que amplía el grupo de atacantes potenciales. Las versiones 2.8.13, 2.9.9 y 2.10.4 contienen un parche para este problema.

A flaw was found in Argo CD that may result in a remote denial of service. The expireOldFailedAttempts function modifies an array while it is being iterated over. This issue may cause an application crash when executed in a multi-threaded environment if two threads interact with the same array simultaneously.

*Credits: N/A

CVSS Scores

GitHubv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Poc

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-12-29 CVE Reserved
2024-03-18 CVE Published
2024-03-19 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context
CWE-787: Out-of-bounds Write

CAPEC

References (7)

URL	Tag	Source
https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311	X_refsource_misc
https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345	X_refsource_misc
https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208	X_refsource_misc
https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8b	X_refsource_misc
https://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-21661	2024-04-10
https://bugzilla.redhat.com/show_bug.cgi?id=2270173	2024-04-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Argoproj Search vendor "Argoproj"		Argo-cd Search vendor "Argoproj" for product "Argo-cd"				< 2.8.13 Search vendor "Argoproj" for product "Argo-cd" and version " < 2.8.13"		en		Affected
Argoproj Search vendor "Argoproj"		Argo-cd Search vendor "Argoproj" for product "Argo-cd"				>= 2.9.0 < 2.9.9 Search vendor "Argoproj" for product "Argo-cd" and version " >= 2.9.0 < 2.9.9"		en		Affected
Argoproj Search vendor "Argoproj"		Argo-cd Search vendor "Argoproj" for product "Argo-cd"				>= 2.10.0 < 2.10.4 Search vendor "Argoproj" for product "Argo-cd" and version " >= 2.10.0 < 2.10.4"		en		Affected