GHSA-9m6p-x4h2-6frq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9m6p-x4h2-6frq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-9m6p-x4h2-6frq/GHSA-9m6p-x4h2-6frq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9m6p-x4h2-6frq
- Aliases
- Related
- Published
- 2024-04-26T16:40:35Z
- Modified
- 2024-06-04T16:56:44.063112Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences
- Details
-
Impact
DoS vuln via OOM using jq in ignoreDifferences.
ignoreDifferences: - group: apps kind: Deployment jqPathExpressions: - 'until(true == false; [.] + [1])'Patches
A patch for this vulnerability has been released in the following Argo CD versions:
v2.10.8 v2.9.13 v2.8.17
For more information
If you have any questions or comments about this advisory:
Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd
Credits This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)
The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue
- Database specific
{ "nvd_published_at": "2024-05-14T15:36:25Z", "cwe_ids": [ "CWE-400" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-04-26T16:40:35Z" }- References
-
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-9m6p-x4h2-6frq
- https://nvd.nist.gov/vuln/detail/CVE-2024-32476
- https://github.com/argoproj/argo-cd/commit/7893979a1e78d59cedd0ba790ded24e30bb40657
- https://github.com/argoproj/argo-cd/commit/9e5cc5a26ff0920a01816231d59fdb5eae032b5a
- https://github.com/argoproj/argo-cd/commit/e2df7315fb7d96652186bf7435773a27be330cac
- https://github.com/argoproj/argo-cd
Affected packages
Go / github.com/argoproj/argo-cd/v2
Package
- Name
- github.com/argoproj/argo-cd/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/argoproj/argo-cd/v2
Go / github.com/argoproj/argo-cd/v2
Package
- Name
- github.com/argoproj/argo-cd/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/argoproj/argo-cd/v2
Go / github.com/argoproj/argo-cd/v2
Package
- Name
- github.com/argoproj/argo-cd/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/argoproj/argo-cd/v2