GoogleOSV:GHSA-9M6P-X4H2-6FRQArgo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.9 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.6%
Impact
DoS vuln via OOM using jq in ignoreDifferences.
ignoreDifferences:
- group: apps
kind: Deployment
jqPathExpressions:
- 'until(true == false; [.] + [1])'
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
v2.10.8
v2.9.13
v2.8.17
For more information
If you have any questions or comments about this advisory:
Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd
Credits
This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)
The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
References
github.com/argoproj/argo-cd
github.com/argoproj/argo-cd/commit/7893979a1e78d59cedd0ba790ded24e30bb40657
github.com/argoproj/argo-cd/commit/9e5cc5a26ff0920a01816231d59fdb5eae032b5a
github.com/argoproj/argo-cd/commit/e2df7315fb7d96652186bf7435773a27be330cac
github.com/argoproj/argo-cd/security/advisories/GHSA-9m6p-x4h2-6frq
nvd.nist.gov/vuln/detail/CVE-2024-32476
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.9 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.6%