CVE-2024-40634
Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint
| Assigner | GitHub_M |
| Reserved | 2024-07-08 |
| Published | 2024-07-22 |
| Updated | 2024-08-02 |
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.
| CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CWE-400: Uncontrolled Resource Consumption
https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w
https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc
https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36
https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df
