CVE-2024-40634
published 2024-07-22CVE-2024-40634: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.39%
68.9th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo-cd | — | — |
| argoproj | argo_cd | >= 1.0.0 < 2.9.20 | 2.9.20 |
| argoproj | argo_cd | >= 2.10.0 < 2.10.15 | 2.10.15 |
| argoproj | argo_cd | >= 2.11.0 < 2.11.6 | 2.11.6 |
| github.com | argoproj_argo-cd | 1.0.0 – 1.8.7 | — |
| github.com | argoproj_argo-cd | >= 1.0.0 | — |
| github.com | argoproj_argo-cd_v2 | >= 0 < 2.9.20 | 2.9.20 |
| github.com | argoproj_argo-cd_v2 | >= 2.10.0 < 2.10.15 | 2.10.15 |
| github.com | argoproj_argo-cd_v2 | >= 2.11.0 < 2.11.6 | 2.11.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in github.com/argoproj/argo-cd
osv·2024-08-06
CVE-2024-40634 Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in github.com/argoproj/argo-cd
Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in github.com/argoproj/argo-cd
Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in github.com/argoproj/argo-cd
OSV
Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint
osv·2024-07-22
CVE-2024-40634 [HIGH] Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint
Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint
### Summary
This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments.
### Details
The webhook server always listens to requests. By default, the endpoint doesn't require authentication. It's possible to send a large, malicious request with headers (in this case "X-GitHub-Event: push") that will make ArgoCD start allocating memory to parse the incoming request. Since the request can be constructed client-side wit
GHSA
Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint
ghsa·2024-07-22
CVE-2024-40634 [HIGH] CWE-400 Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint
Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint
### Summary
This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments.
### Details
The webhook server always listens to requests. By default, the endpoint doesn't require authentication. It's possible to send a large, malicious request with headers (in this case "X-GitHub-Event: push") that will make ArgoCD start allocating memory to parse the incoming request. Since the request can be constructed client-side wit
Red Hat
argocd: Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in Argo CD
vendor_redhat·2024-07-22·CVSS 7.5
CVE-2024-40634 [HIGH] CWE-400 argocd: Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in Argo CD
argocd: Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook Endpoint in Argo CD
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.
A vulnerability was found in Argo CD. This flaw allows an unauthenticated attacker to send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation leading to servi
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdchttps://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4dfhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3whttps://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdchttps://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4dfhttps://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w
2024-07-22
Published