Skip to content

Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences

Moderate severity GitHub Reviewed Published Apr 26, 2024 in argoproj/argo-cd • Updated Apr 26, 2024

Package

gomod github.com/argoproj/argo-cd/v2 (Go)

Affected versions

>= 2.10.0, < 2.10.8
>= 2.9.0, < 2.9.13
< 2.8.17

Patched versions

2.10.8
2.9.13
2.8.17

Description

Impact

DoS vuln via OOM using jq in ignoreDifferences.

ignoreDifferences:
    - group: apps
       kind: Deployment
       jqPathExpressions: 
	    - 'until(true == false; [.] + [1])'

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

v2.10.8
v2.9.13
v2.8.17

For more information

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions
Join us on Slack in channel #argo-cd

Credits
This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

References

@pasha-codefresh pasha-codefresh published to argoproj/argo-cd Apr 26, 2024
Published to the GitHub Advisory Database Apr 26, 2024
Reviewed Apr 26, 2024
Last updated Apr 26, 2024

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

CVE-2024-32476

GHSA ID

GHSA-9m6p-x4h2-6frq

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.