vulndb icon indicating copy to clipboard operation
vulndb copied to clipboard
verified publisher icon golang

x/vulndb: potential Go vuln in github.com/argoproj/argo-cd/v2: GHSA-jmvp-698c-4x3w

Open GoVulnBot opened this issue 1 year ago • 1 comments

Advisory GHSA-jmvp-698c-4x3w references a vulnerability in the following Go modules:

Module
github.com/argoproj/argo-cd
github.com/argoproj/argo-cd/v2

Description:

Summary

This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments.

Details

The webhook server always listens to requests. By default, the endpoint doesn't require authentication. It's possible to send a large, malicious request with headers (in this case "X-GitHub-Event: push") that will make Arg...

References:

  • ADVISORY: https://github.com/advisories/GHSA-jmvp-698c-4x3w
  • ADVISORY: https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w
  • FIX: https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc
  • FIX: https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36
  • FIX: https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df

Cross references:

  • github.com/argoproj/argo-cd appears in 32 other report(s):
    • data/excluded/GO-2022-0304.yaml (https://github.com/golang/vulndb#304) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2022-0357.yaml (https://github.com/golang/vulndb#357) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2022-0358.yaml (https://github.com/golang/vulndb#358) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2022-0359.yaml (https://github.com/golang/vulndb#359) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2022-0387.yaml (https://github.com/golang/vulndb#387) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2022-0453.yaml (https://github.com/golang/vulndb#453) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2022-0454.yaml (https://github.com/golang/vulndb#454) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2022-0455.yaml (https://github.com/golang/vulndb#455) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2022-0495.yaml (https://github.com/golang/vulndb#495) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2022-0497.yaml (https://github.com/golang/vulndb#497) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2022-0498.yaml (https://github.com/golang/vulndb#498) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2022-0499.yaml (https://github.com/golang/vulndb#499) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2022-0516.yaml (https://github.com/golang/vulndb#516) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2022-0517.yaml (https://github.com/golang/vulndb#517) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2022-0518.yaml (https://github.com/golang/vulndb#518) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2022-0882.yaml (https://github.com/golang/vulndb#882) NOT_IMPORTABLE
    • data/excluded/GO-2022-0892.yaml (https://github.com/golang/vulndb#892) NOT_IMPORTABLE
    • data/excluded/GO-2023-1512.yaml (https://github.com/golang/vulndb#1512) NOT_IMPORTABLE
    • data/excluded/GO-2023-1520.yaml (https://github.com/golang/vulndb#1520) NOT_IMPORTABLE
    • data/excluded/GO-2023-1577.yaml (https://github.com/golang/vulndb#1577) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2023-1670.yaml (https://github.com/golang/vulndb#1670) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2023-2018.yaml (https://github.com/golang/vulndb#2018) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2023-2049.yaml (https://github.com/golang/vulndb#2049) NOT_IMPORTABLE
    • data/excluded/GO-2023-2050.yaml (https://github.com/golang/vulndb#2050) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2024-2470.yaml (https://github.com/golang/vulndb#2470) EFFECTIVELY_PRIVATE
    • data/reports/GO-2024-2643.yaml (https://github.com/golang/vulndb#2643)
    • data/reports/GO-2024-2646.yaml (https://github.com/golang/vulndb#2646)
    • data/reports/GO-2024-2728.yaml (https://github.com/golang/vulndb#2728)
    • data/reports/GO-2024-2792.yaml (https://github.com/golang/vulndb#2792)
    • data/reports/GO-2024-2877.yaml (https://github.com/golang/vulndb#2877)
    • data/reports/GO-2024-2898.yaml (https://github.com/golang/vulndb#2898)
    • data/reports/GO-2024-2902.yaml (https://github.com/golang/vulndb#2902)
  • github.com/argoproj/argo-cd/v2 appears in 15 other report(s):
    • data/excluded/GO-2022-0869.yaml (https://github.com/golang/vulndb#869) NOT_IMPORTABLE
    • data/excluded/GO-2023-1670.yaml (https://github.com/golang/vulndb#1670) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2023-1952.yaml (https://github.com/golang/vulndb#1952) EFFECTIVELY_PRIVATE
    • data/excluded/GO-2023-2085.yaml (https://github.com/golang/vulndb#2085) EFFECTIVELY_PRIVATE
    • data/reports/GO-2023-1548.yaml (https://github.com/golang/vulndb#1548)
    • data/reports/GO-2024-2643.yaml (https://github.com/golang/vulndb#2643)
    • data/reports/GO-2024-2646.yaml (https://github.com/golang/vulndb#2646)
    • data/reports/GO-2024-2652.yaml (https://github.com/golang/vulndb#2652)
    • data/reports/GO-2024-2654.yaml (https://github.com/golang/vulndb#2654)
    • data/reports/GO-2024-2667.yaml (https://github.com/golang/vulndb#2667)
    • data/reports/GO-2024-2728.yaml (https://github.com/golang/vulndb#2728)
    • data/reports/GO-2024-2792.yaml (https://github.com/golang/vulndb#2792)
    • data/reports/GO-2024-2877.yaml (https://github.com/golang/vulndb#2877)
    • data/reports/GO-2024-2898.yaml (https://github.com/golang/vulndb#2898)
    • data/reports/GO-2024-2902.yaml (https://github.com/golang/vulndb#2902)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/argoproj/argo-cd
      non_go_versions:
        - introduced: TODO (earliest fixed "", vuln range ">= 1.0.0, <= 1.8.7")
      vulnerable_at: 1.8.6
    - module: github.com/argoproj/argo-cd/v2
      versions:
        - fixed: 2.9.20
        - introduced: 2.10.0
        - fixed: 2.10.15
        - introduced: 2.11.0
        - fixed: 2.11.6
      vulnerable_at: 2.11.5
summary: |-
    Argo CD Unauthenticated Denial of Service (DoS) Vulnerability via /api/webhook
    Endpoint in github.com/argoproj/argo-cd
cves:
    - CVE-2024-40634
ghsas:
    - GHSA-jmvp-698c-4x3w
references:
    - advisory: https://github.com/advisories/GHSA-jmvp-698c-4x3w
    - advisory: https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3w
    - fix: https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0cdc
    - fix: https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38b36
    - fix: https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625a4df
source:
    id: GHSA-jmvp-698c-4x3w
    created: 2024-07-22T18:01:16.422997048Z
review_status: UNREVIEWED

GoVulnBot avatar Jul 22 '24 18:07 GoVulnBot

Change https://go.dev/cl/601384 mentions this issue: data/reports: add GO-2024-3002

gopherbot avatar Jul 26 '24 20:07 gopherbot

Change https://go.dev/cl/603235 mentions this issue: data/reports: add 29 unreviewed reports

gopherbot avatar Aug 05 '24 21:08 gopherbot