GHSA-9m6p-x4h2-6frq

Source

https://github.com/advisories/GHSA-9m6p-x4h2-6frq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-9m6p-x4h2-6frq/GHSA-9m6p-x4h2-6frq.json

Aliases

CVE-2024-32476

Published

2024-04-26T16:40:35Z

Modified

2024-04-26T16:56:43.282949Z

Details

Impact

DoS vuln via OOM using jq in ignoreDifferences.

ignoreDifferences:
    - group: apps
       kind: Deployment
       jqPathExpressions: 
        - 'until(true == false; [.] + [1])'

Patches

A patch for this vulnerability has been released in the following Argo CD versions:

v2.10.8 v2.9.13 v2.8.17

For more information

If you have any questions or comments about this advisory:

Open an issue in the Argo CD issue tracker or discussions Join us on Slack in channel #argo-cd

Credits This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw)

The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

References

Affected packages

Go / github.com/argoproj/argo-cd/v2

Package

Name: github.com/argoproj/argo-cd/v2

Affected ranges

Type: SEMVER
Events: Introduced

2.10.0

Fixed

2.10.8

Go / github.com/argoproj/argo-cd/v2

Package

Name: github.com/argoproj/argo-cd/v2

Affected ranges

Type: SEMVER
Events: Introduced

2.9.0

Fixed

2.9.13

Go / github.com/argoproj/argo-cd/v2

Package

Name: github.com/argoproj/argo-cd/v2

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.8.17