CVE-2024-40634 Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint

2024-07-2217:22:55

CWE-400

GitHub_M

www.cve.org

vulnerability

argo cd

dos

unauthenticated

webhook

kubernetes

json

out of memory

oom kill

security

availability

fixed

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

Percentile

16.1%

JSON

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.

CNA Affected

[
  {
    "vendor": "argoproj",
    "product": "argo-cd",
    "versions": [
      {
        "version": ">= 1.0.0, < 2.9.20",
        "status": "affected"
      },
      {
        "version": ">= 2.10.0, < 2.10.15",
        "status": "affected"
      },
      {
        "version": ">= 2.11.0, < 2.11.6",
        "status": "affected"
      }
    ]
  }
]