The Argo CD web terminal session does not handle the revocation of user permissions properly

Argo CD v2.11.3 and before, discovering that even if the user's p, role:myrole, exec, create, /, allow permissions are revoked, the user can still send any Websocket message, which allows the user to view sensitive information. Even though they shouldn't have such access. Description Argo CD has ...

Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences

Impact DoS vuln via OOM using jq in ignoreDifferences. ignoreDifferences: - group: apps kind: Deployment jqPathExpressions: - 'untiltrue == false; . + 1' Patches A patch for this vulnerability has been released in the following Argo CD versions: v2.10.8 v2.9.13 v2.8.17 For more information If you...

GHSA-9M6P-X4H2-6FRQ Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences

Impact DoS vuln via OOM using jq in ignoreDifferences. ignoreDifferences: - group: apps kind: Deployment jqPathExpressions: - 'untiltrue == false; . + 1' Patches A patch for this vulnerability has been released in the following Argo CD versions: v2.10.8 v2.9.13 v2.8.17 For more information If you...

GHSA-2GVW-W6FJ-7M3C Argo CD's API server does not enforce project sourceNamespaces

Impact I can convince the UI to let me do things with an invalid Application. 1. Admin gives me p, michael, applications, , demo/, allow, where demo can just deploy to the demo namespace 2. Admin gives me AppProject dev which reconciles from ns dev-apps 3. Admin gives me p, michael, applications,...

ArgoCD's repo server has Uncontrolled Resource Consumption vulnerability

Impact All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The...

GHSA-JHWX-MHWW-RGC3 ArgoCD's repo server has Uncontrolled Resource Consumption vulnerability

Impact All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, it's possible to crash the repo server component through an out of memory error by pointing it to a malicious Helm registry. The...

Argo CD repo-server Denial of Service vulnerability

Impact All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file without validating the size of its inner files. As a result, a malicious,...