Описание
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
A denial of service vulnerability was identified in the Argo CD continuous delivery tool, which is distributed as part of Red Hat GitOps product. An unauthenticated attacker can exploit this flaw by sending a specially crafted request to the Application Programming Interface (API) webhook endpoint. This action causes the API server to crash, preventing it from restarting properly. By repeatedly targeting the server, an attacker can cause a complete service outage, making the Argo CD interface unavailable to all users. This vulnerability is only exposed in configurations where a specific webhook secret has not been set.
Отчет
This vulnerability was rated as Important by the Red Hat Product Security team, this happens because an unauthenticated attacker is able to cause a denial of service from the whole GitOps cluster. This vulnerability affects only clusters without a configured 'webhook.bitbucket.secret' configuration key, thus clusters that have this option configured are not exposed to this flaw.
This vulnerability lies in a unsafe cast when trying to retrieve the repository.links.cloneJSON field from BitBucket-Server push request. When the unsafe cast is triggered, the goroutine created by the worker to process the request will fail within an assertion panic and, as it lacks a recovery routine, the whole argocd-server binary will be terminated. If an attacker manages to force all the argocd-server replica nodes to reach this assertion failure, a Denial of Service of the whole cluster will happen.
Меры по смягчению последствий
If a BitBucket repository is being used by GitOps it's possible to mitigate this vulnerability by setting up a BitBucket webhook secret to ensure only trusted parties can access the webhook endpoint. In case BitBucket is not being used, the user can set the webhook secret to a long random value to prevent the webhook from being called:
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Versions 1.2.0 through 1.8.7, 2.0.0-rc1 through 2.14.19, 3.0.0-rc1 through 3.2.0-rc1, 3.1.7 and 3.0.18 are vulnerable to malicious API requests which can crash the API server and cause denial of service to legitimate clients. Without a configured webhook.bitbucketserver.secret, Argo CD's /api/webhook endpoint crashes when receiving a malformed Bitbucket Server payload (non-array repository.links.clone field). A single unauthenticated request triggers CrashLoopBackOff, and targeting all replicas causes complete API outage. This issue is fixed in versions 2.14.20, 3.2.0-rc2, 3.1.8 and 3.0.19.
Unauthenticated argocd-server panic via a malicious Bitbucket-Server webhook payload
EPSS
7.5 High
CVSS3