CVE-2024-40634

2024-07-2218:15:03

CWE-400

GitHub_M

web.nvd.nist.gov

argo cd

json payload

oom

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

Percentile

16.1%

JSON

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.

Affected configurations

Vulners

Vulnrichment

Node

argoprojargo_cdRange1.0.0–2.9.20

argoprojargo_cdRange2.10.0–2.10.15

argoprojargo_cdRange2.11.0–2.11.6

VendorProductVersionCPE
argoprojargo_cd*cpe:2.3:a:argoproj:argo_cd:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
argoproj	argo_cd	*	cpe:2.3:a:argoproj:argo_cd::::::::

CNA Affected

[
  {
    "vendor": "argoproj",
    "product": "argo-cd",
    "versions": [
      {
        "version": ">= 1.0.0, < 2.9.20",
        "status": "affected"
      },
      {
        "version": ">= 2.10.0, < 2.10.15",
        "status": "affected"
      },
      {
        "version": ">= 2.11.0, < 2.11.6",
        "status": "affected"
      }
    ]
  }
]