CVE-2024-21661
published 2024-03-18CVE-2024-21661: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.18%
63.7th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment. The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes. This is a Denial of Service (DoS) vulnerability. Any attacker can crash the application continuously, making it impossible for legitimate users to access the service. The issue is exacerbated because it does not require authentication, widening the pool of potential attackers. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | < 2.8.13 | 2.8.13 |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | < 2.8.13 | 2.8.13 |
| argoproj | argo_cd | >= 2.10.0 < 2.10.4 | 2.10.4 |
| argoproj | argo_cd | >= 2.9.0 < 2.9.9 | 2.9.9 |
| github.com | argoproj_argo-cd | 0 – 1.8.7 | — |
| github.com | argoproj_argo-cd_v2 | >= 0 < 2.8.13 | 2.8.13 |
| github.com | argoproj_argo-cd_v2 | >= 2.10.0 < 2.10.4 | 2.10.4 |
| github.com | argoproj_argo-cd_v2 | >= 2.9.0 < 2.9.9 | 2.9.9 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Denial of service in github.com/argoproj/argo-cd/v2
osv·2024-03-22
CVE-2024-21661 Denial of service in github.com/argoproj/argo-cd/v2
Denial of service in github.com/argoproj/argo-cd/v2
Application may crash due to concurrent writes, leading to a denial of service. An attacker can crash the application continuously, making it impossible for legitimate users to access the service. Authentication is not required in the attack.
OSV
Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment
osv·2024-03-18
CVE-2024-21661 [HIGH] Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment
Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment
### Summary
An attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment.
### Details
The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes.
The core issue is located in [expireOldFailedAttempts](https://github.com/argoproj/argo-cd/blob/5
GHSA
Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment
ghsa·2024-03-18
CVE-2024-21661 [HIGH] CWE-787 Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment
Denial of Service (DoS) Vulnerability Due to Unsafe Array Modification in Multi-threaded Environment
### Summary
An attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment.
### Details
The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes.
The core issue is located in [expireOldFailedAttempts](https://github.com/argoproj/argo-cd/blob/5
Red Hat
argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss
vendor_redhat·2024-03-18·CVSS 9.8
CVE-2024-21652 [CRITICAL] CWE-307 argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss
argo-cd: Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue.
A bypass of brute force protection flaw was found in Argo
Red Hat
argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment
vendor_redhat·2024-03-18·CVSS 7.5
CVE-2024-21661 [HIGH] CWE-567 argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment
argo-cd: Denial of Service Due to Unsafe Array Modification in Multi-threaded Environment
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a critical flaw in the application to initiate a Denial of Service (DoS) attack, rendering the application inoperable and affecting all users. The issue arises from unsafe manipulation of an array in a multi-threaded environment. The vulnerability is rooted in the application's code, where an array is being modified while it is being iterated over. This is a classic programming error but becomes critically unsafe when executed in a multi-threaded environment. When two threads interact with the same array simultaneously, the application crashes. This is a Denia
No detection rules found.
No public exploits indexed.
https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8bhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8bhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-6v85-wr92-q4p7
2024-03-18
Published