CVE-2024-21662
published 2024-03-18CVE-2024-21662: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the…
PriorityP353critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.84%
53.2th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a patch for CVE-2020-8827 intended to protect against brute-force attacks. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. This cache is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by bombarding it with login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account. This is a severe vulnerability that enables attackers to perform brute force attacks at an accelerated rate, especially targeting the default admin account. Users should upgrade to version 2.8.13, 2.9.9, or 2.10.4 to receive a patch.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo_cd | < 2.8.13 | 2.8.13 |
| argoproj | argo_cd | >= 2.10.0 < 2.10.4 | 2.10.4 |
| argoproj | argo_cd | >= 2.9.0 < 2.9.9 | 2.9.9 |
| github.com | argoproj_argo-cd_v2 | >= 0 < 2.8.13 | 2.8.13 |
| github.com | argoproj_argo-cd_v2 | >= 2.10.0 < 2.10.4 | 2.10.4 |
| github.com | argoproj_argo-cd_v2 | >= 2.9.0 < 2.9.9 | 2.9.9 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Brute force protection bypass in github.com/argoproj/argo-cd/v2
osv·2024-03-22
CVE-2024-21652 Brute force protection bypass in github.com/argoproj/argo-cd/v2
Brute force protection bypass in github.com/argoproj/argo-cd/v2
An attacker can effectively bypass the rate limit and brute force protections in Argo CD by exploiting the application's weak cache-based mechanism. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. An attacker can overflow this cache by bombarding it with login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account.
GHSA
Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
ghsa·2024-03-18
CVE-2024-21662 [MEDIUM] CWE-307 Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
### Summary
An attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a previously [patched CVE](https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force) intended to protect against brute-force attacks.
### Details
The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. This cache is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by bombarding it with log
OSV
Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss
osv·2024-03-18
CVE-2024-21652 [CRITICAL] Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss
Bypassing Brute Force Protection via Application Crash and In-Memory Data Loss
### Summary
An attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This makes the application susceptible to brute force attacks, compromising the security of all user accounts.
### Details
The issue arises from two main vulnerabilities:
1. The application crashes due to a previously described DoS vulnerability caused by unsafe array modifications in a multi-threaded environment.
2. The application saves the data of failed login attempts in-memory, without persistent storage. When the application crashes and restarts, this data is lost, resetting the brute force prot
OSV
Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
osv·2024-03-18
CVE-2024-21652 [MEDIUM] Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
### Summary
An attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a previously [patched CVE](https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-force) intended to protect against brute-force attacks.
### Details
The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. This cache is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by bombarding it with log
Red Hat
argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
vendor_redhat·2024-03-18·CVSS 7.5
CVE-2024-21662 [HIGH] CWE-307 argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
argo-cd: Bypassing Rate Limit and Brute Force Protection Using Cache Overflow
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can effectively bypass the rate limit and brute force protections by exploiting the application's weak cache-based mechanism. This loophole in security can be combined with other vulnerabilities to attack the default admin account. This flaw undermines a patch for CVE-2020-8827 intended to protect against brute-force attacks. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. This cache is limited to a `defaultMaxCacheSize` of 1000 entries. An attacker can overflow this cache by bombarding it with login attempts for differen
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-forcehttps://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4dhttps://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7bhttps://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454https://argo-cd.readthedocs.io/en/stable/security_considerations/#cve-2020-8827-insufficient-anti-automationanti-brute-forcehttps://github.com/argoproj/argo-cd/commit/17b0df1168a4c535f6f37e95f25ed7cd81e1fa4dhttps://github.com/argoproj/argo-cd/commit/6e181d72b31522f886a2afa029d5b26d7912ec7bhttps://github.com/argoproj/argo-cd/commit/cebb6538f7944c87ca2fecb5d17f8baacc431456https://github.com/argoproj/argo-cd/security/advisories/GHSA-2vgg-9h6w-m454
2024-03-18
Published