Brute Force Login Bypass in Argo CD by Vendor Argo Project
CVE-2024-21652

9.8CRITICAL

Key Information:

Vendor: Argoproj
Status: Argo-cd
Vendor: CVE Published:; 18 March 2024

What is CVE-2024-21652?

Argo CD, a powerful GitOps continuous delivery tool for Kubernetes, is vulnerable to a critical flaw that allows attackers to bypass its brute force login protection mechanism. Prior to the updates in versions 2.8.13, 2.9.9, and 2.10.4, cybercriminals could exploit a chain of issues, including a Denial of Service (DoS) vulnerability and weaknesses in in-memory data storage. This exploitation not only enables unlimited login attempts, significantly raising the threat of account compromise, but it can also lead to service disruptions affecting all users. Users are strongly advised to upgrade to the patched versions to mitigate these risks.

Affected Version(s)

argo-cd < 2.8.13 < 2.8.13

argo-cd >= 2.9.0, < 2.9.9 < 2.9.0, 2.9.9

argo-cd >= 2.10.0, < 2.10.4 < 2.10.0, 2.10.4

References

https://github.com/argoproj/argo-cd/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 18, 2024
Vulnerability Reserved
Dec 29, 2023

JSON

Argoproj

What is CVE-2024-21652?

Affected Version(s)

References

CVSS V3.1

Timeline