Security Vulnerability in Argo CD Could Lead to Deployment Disruption
CVE-2024-40634

7.5HIGH

Key Information:

Vendor: Argoproj
Status: Argo-cd
Vendor: CVE Published:; 22 July 2024

What is CVE-2024-40634?

Argo CD is a widely used GitOps continuous delivery tool for Kubernetes that has a vulnerability allowing unauthenticated attackers to exploit the /api/webhook endpoint. By sending a specifically crafted large JSON payload, the vulnerability causes excessive memory allocation, which can trigger an Out Of Memory (OOM) kill, resulting in a substantial risk to the availability of the Argo CD service. This issue highlights potential weaknesses in the application’s handling of inputs and requires immediate attention to mitigate risks. The vulnerability has been addressed in recent updates, specifically in versions 2.11.6, 2.10.15, and 2.9.20.

Affected Version(s)

argo-cd >= 1.0.0, < 2.9.20 < 1.0.0, 2.9.20

argo-cd >= 2.10.0, < 2.10.15 < 2.10.0, 2.10.15

argo-cd >= 2.11.0, < 2.11.6 < 2.11.0, 2.11.6

References

https://github.com/argoproj/argo-cd/security/advisories/G...

x_refsource_CONFIRM

https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab...

x_refsource_MISC

https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 22, 2024

Argoproj

What is CVE-2024-40634?

Affected Version(s)

References

CVSS V3.1

Timeline