CVE-2024-40634

See a problem?

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-40634

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-40634.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-40634

Aliases

Related

Published

2024-07-22T18:15:03Z

Modified

2024-10-08T04:20:14.334150Z

Summary

[none]

Details

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.

References

Affected packages

Git / github.com/argoproj/argo-cd

Affected ranges

Type: GIT
Repo: https://github.com/argoproj/argo-cd
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

46c0c0b64deaab1ece70cb701030b76668ad0cdc

Fixed

540e3a57b90eb3655db54793332fac86bcc38b36

Fixed

d881ee78949e23160a0b280bb159e4d3d625a4df

Affected versions

v0.*

v0.1.0

v0.2.0

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.4.0

v0.4.0-alpha1

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.5.0

v0.5.1

v0.5.2

v0.6.0

v0.6.1

v0.7.0

v0.7.1

v0.8.0

v2.*

v2.10.0

v2.10.0-rc1

v2.10.0-rc2

v2.10.0-rc3

v2.10.0-rc4

v2.10.0-rc5

v2.10.1

v2.10.10

v2.10.11

v2.10.12

v2.10.13

v2.10.14

v2.10.2

v2.10.3

v2.10.4

v2.10.5

v2.10.6

v2.10.7

v2.10.8

v2.10.9

v2.11.0

v2.11.0-rc1

v2.11.0-rc2

v2.11.0-rc3

v2.11.1

v2.11.2

v2.11.3

v2.11.4

v2.11.5

v2.9.0

v2.9.0-rc1

v2.9.0-rc2

v2.9.0-rc3

v2.9.0-rc4

v2.9.1

v2.9.11

v2.9.12

v2.9.13

v2.9.14

v2.9.15

v2.9.16

v2.9.17

v2.9.18

v2.9.19

v2.9.2

v2.9.3

v2.9.4

v2.9.5

v2.9.6

v2.9.7

v2.9.8

v2.9.9