Lucene search

GoogleOSV:BIT-ARGO-CD-2024-32476

HistoryMay 24, 2024 - 7:16 a.m.

BIT-argo-cd-2024-32476

2024-05-2407:16:04

Google

osv.dev

argo cd dos vulnerability

gitops

kubernetes

continuous delivery

patched versions

oom

ignoredifferences

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16.

CPENameOperatorVersion
argo-cdlt2.9.13
argo-cdge2.10.0
argo-cdlt2.8.17
argo-cdlt2.10.8
argo-cdge2.9.0

Name	Operator	Version
argo-cd	lt	2.9.13
argo-cd	ge	2.10.0
argo-cd	lt	2.8.17
argo-cd	lt	2.10.8
argo-cd	ge	2.9.0

References

github.com/argoproj/argo-cd/commit/7893979a1e78d59cedd0ba790ded24e30bb40657

github.com/argoproj/argo-cd/commit/9e5cc5a26ff0920a01816231d59fdb5eae032b5a

github.com/argoproj/argo-cd/commit/e2df7315fb7d96652186bf7435773a27be330cac

github.com/argoproj/argo-cd/security/advisories/GHSA-9m6p-x4h2-6frq

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

6.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.5%

JSON

Related for OSV:BIT-ARGO-CD-2024-32476