cbcvebase.
CVE-2024-40634
published 2024-07-22

CVE-2024-40634: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated…

PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
1.39%
68.9th percentile
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.

Affected

11 ranges
VendorProductVersion rangeFixed in
argoprojargo-cd
argoprojargo-cd
argoprojargo-cd
argoprojargo_cd>= 1.0.0 < 2.9.202.9.20
argoprojargo_cd>= 2.10.0 < 2.10.152.10.15
argoprojargo_cd>= 2.11.0 < 2.11.62.11.6
github.comargoproj_argo-cd1.0.0 – 1.8.7
github.comargoproj_argo-cd>= 1.0.0
github.comargoproj_argo-cd_v2>= 0 < 2.9.202.9.20
github.comargoproj_argo-cd_v2>= 2.10.0 < 2.10.152.10.15
github.comargoproj_argo-cd_v2>= 2.11.0 < 2.11.62.11.6

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.