Vulnerability Report: GO-2024-2654

CVE-2024-21661, GHSA-6v85-wr92-q4p7
Affects: github.com/argoproj/argo-cd/v2
Published: Mar 22, 2024
Modified: May 20, 2024

Application may crash due to concurrent writes, leading to a denial of service. An attacker can crash the application continuously, making it impossible for legitimate users to access the service. Authentication is not required in the attack.

Affected Packages

Path

Versions

Symbols
github.com/argoproj/argo-cd/v2/server/application

before v2.8.13, from v2.9.0 before v2.9.9, from v2.10.0 before v2.10.4
- NewHandler
github.com/argoproj/argo-cd/v2/util/session

before v2.8.13, from v2.9.0 before v2.9.9, from v2.10.0 before v2.10.4
- SessionManager.VerifyUsernamePassword

Aliases

CVE-2024-21661
GHSA-6v85-wr92-q4p7

References

https://github.com/argoproj/argo-cd/commit/2a22e19e06aaf6a1e734443043310a66c234e345
https://github.com/argoproj/argo-cd/commit/5bbb51ab423f273dda74ab956469843d2db2e208
https://github.com/argoproj/argo-cd/commit/ce04dc5c6f6e92033221ec6d96b74403b065ca8b
https://github.com/argoproj/argo-cd/blob/54601c8fd30b86a4c4b7eb449956264372c8bde0/util/session/sessionmanager.go#L302-L311
https://vuln.go.dev/ID/GO-2024-2654.json

Credits

@nadava669@todaywasawesome, @crenshaw-dev, @jannfis, @pasha-codefresh

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL