Описание
Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences
Impact
DoS vuln via OOM using jq in ignoreDifferences.
Patches
A patch for this vulnerability has been released in the following Argo CD versions:
v2.10.8 v2.9.13 v2.8.17
For more information
If you have any questions or comments about this advisory:
Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd
Credits This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)
The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
Ссылки
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-9m6p-x4h2-6frq
- https://nvd.nist.gov/vuln/detail/CVE-2024-32476
- https://github.com/argoproj/argo-cd/commit/7893979a1e78d59cedd0ba790ded24e30bb40657
- https://github.com/argoproj/argo-cd/commit/9e5cc5a26ff0920a01816231d59fdb5eae032b5a
- https://github.com/argoproj/argo-cd/commit/e2df7315fb7d96652186bf7435773a27be330cac
Пакеты
github.com/argoproj/argo-cd/v2
>= 2.10.0, < 2.10.8
2.10.8
github.com/argoproj/argo-cd/v2
>= 2.9.0, < 2.9.13
2.9.13
github.com/argoproj/argo-cd/v2
< 2.8.17
2.8.17
Связанные уязвимости
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16.
Уязвимость конфигурации ignoreDifferences декларативного инструмента непрерывной доставки GitOps для Kubernetes Argo CD, позволяющая нарушителю вызвать отказ в обслуживании