GO-2024-2652

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2024-2652

Import Source

https://vuln.go.dev/ID/GO-2024-2652.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2024-2652

Aliases

Published

2024-03-22T17:31:17Z

Modified

2024-05-20T16:03:47Z

Summary

Brute force protection bypass in github.com/argoproj/argo-cd/v2

Details

An attacker can effectively bypass the rate limit and brute force protections in Argo CD by exploiting the application's weak cache-based mechanism. The application's brute force protection relies on a cache mechanism that tracks login attempts for each user. An attacker can overflow this cache by bombarding it with login attempts for different users, thereby pushing out the admin account's failed attempts and effectively resetting the rate limit for that account.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2024-2652"
}

References

Credits

- @nadava669
- @pasha-codefresh
- @crenshaw-dev
- @todaywasawesome
- @jannfis

Affected packages

Go / github.com/argoproj/argo-cd/v2

Package

Name: github.com/argoproj/argo-cd/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/argoproj/argo-cd/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.8.13

Introduced

2.9.0

Fixed

2.9.9

Introduced

2.10.0

Fixed

2.10.4

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/argoproj/argo-cd/v2/util/session",
            "symbols": [
                "SessionManager.VerifyUsernamePassword",
                "SessionManager.updateFailureCount",
                "getMaximumCacheSize"
            ]
        }
    ]
}