CVE-2024-21652
published 2024-03-18CVE-2024-21652: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of…
PriorityP354critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.75%
50.3th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | < 2.8.13 | 2.8.13 |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | < 2.8.13 | 2.8.13 |
| argoproj | argo_cd | >= 2.10.0 < 2.10.4 | 2.10.4 |
| argoproj | argo_cd | >= 2.9.0 < 2.9.9 | 2.9.9 |
| github.com | argoproj_argo-cd_v2 | >= 0 < 2.8.13 | 2.8.13 |
| github.com | argoproj_argo-cd_v2 | >= 2.10.0 < 2.10.4 | 2.10.4 |
| github.com | argoproj_argo-cd_v2 | >= 2.9.0 < 2.9.9 | 2.9.9 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss
vendor_redhat·2024-03-18·CVSS 9.8
CVE-2024-21652 [CRITICAL] CWE-307 argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss
argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.
A bypass of brute force protection flaw was found in Argo
OSV
Brute force protection bypass in github.com/argoproj/argo-cd/v2
osv·2024-03-22
CVE-2024-21652 Brute force protection bypass in github.com/argoproj/argo-cd/v2
Brute force protection bypass in github.com/argoproj/argo-cd/v2
An attacker can effectively bypass the rate limit and brute force protections in Argo CD by exploiting the application's weak cache-based mechanism. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. An attacker can overflow this cache by bombarding it with login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account.
OSV
Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss
osv·2024-03-18
CVE-2024-21652 [CRITICAL] Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss
Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss
### Summary
An attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This makes the application susceptible to brute force attacks, compromising the security of all user accounts.
### Details
The issue arises from two main vulnerabilities:
1. The application crashes due to a previously described DoS vulnerability caused by unsafe array modifications in a multi-threaded environment.
2. The application saves the data of failed login attempts in-memory, without persistent storage. When the application crashes and restarts, this data is lost, resetting the brute force prot
OSV
Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
osv·2024-03-18
CVE-2024-21652 [MEDIUM] Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
### Summary
An attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a previously [patched CVE](https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force) intended to protect against brute-force attacks.
### Details
The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. This cache is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by bombarding it with log
GHSA
Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss
ghsa·2024-03-18
CVE-2024-21652 [CRITICAL] CWE-307 Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss
Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss
### Summary
An attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This makes the application susceptible to brute force attacks, compromising the security of all user accounts.
### Details
The issue arises from two main vulnerabilities:
1. The application crashes due to a previously described DoS vulnerability caused by unsafe array modifications in a multi-threaded environment.
2. The application saves the data of failed login attempts in-memory, without persistent storage. When the application crashes and restarts, this data is lost, resetting the brute force prot
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-03-18
Published