Impact
All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file without validating the size of its inner files. As a result, a malicious, low-privileged user can send a malicious tar.gz file that exploits this vulnerability to the repo-server, thereby harming the system's functionality and availability. Additionally, the repo-server is susceptible to another vulnerability due to the fact that it does not check the extracted file permissions before attempting to delete them. Consequently, an attacker can craft a malicious tar.gz archive in a way that prevents the deletion of its inner files when the manifest generation process is completed.
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
Workarounds
The only way to completely resolve the issue is to upgrade.
Mitigations
Configure RBAC (Role-Based Access Control) and provide access for configuring applications only to a limited number of administrators. These administrators should utilize trusted and verified Helm charts.
For more information
If you have any questions or comments about this advisory:
Credits
This vulnerability was found & reported by GE Vernova – Amit Laish.
The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
References
amit-laish Analyst
Impact
All versions of ArgoCD starting from v2.4 have a bug where the ArgoCD repo-server component is vulnerable to a Denial-of-Service attack vector. Specifically, the said component extracts a user-controlled tar.gz file without validating the size of its inner files. As a result, a malicious, low-privileged user can send a malicious tar.gz file that exploits this vulnerability to the repo-server, thereby harming the system's functionality and availability. Additionally, the repo-server is susceptible to another vulnerability due to the fact that it does not check the extracted file permissions before attempting to delete them. Consequently, an attacker can craft a malicious tar.gz archive in a way that prevents the deletion of its inner files when the manifest generation process is completed.
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
Workarounds
The only way to completely resolve the issue is to upgrade.
Mitigations
Configure RBAC (Role-Based Access Control) and provide access for configuring applications only to a limited number of administrators. These administrators should utilize trusted and verified Helm charts.
For more information
If you have any questions or comments about this advisory:
Credits
This vulnerability was found & reported by GE Vernova – Amit Laish.
The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
References