Vulnerability Description
Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the repo-server service, resulting in a Denial of Service. The attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. The fix for this vulnerability is available in versions 2.3.5, 2.2.10, 2.1.16, and later. There are no known workarounds. Users are recommended to upgrade.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Argoproj | Argo Cd | >= 0.7.0, < 2.1.16 |
Related Weaknesses (CWE)
References
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwqPatchThird Party Advisory
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-jhqp-vf4w-rpwqPatchThird Party Advisory
FAQ
What is CVE-2022-31016?
CVE-2022-31016 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Argo CD is a declarative continuous deployment for Kubernetes. Argo CD versions v0.7.0 and later are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to cras...
How severe is CVE-2022-31016?
CVE-2022-31016 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-31016?
Check the references section above for vendor advisories and patch information. Affected products include: Argoproj Argo Cd.