Vulnerability Description
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large JSON payload to the /api/webhook endpoint, causing excessive memory allocation that leads to service disruption by triggering an Out Of Memory (OOM) kill. The issue poses a high risk to the availability of Argo CD deployments. This vulnerability is fixed in 2.11.6, 2.10.15, and 2.9.20.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Argoproj | Argo Cd | >= 1.0.0, < 2.9.20 |
Related Weaknesses (CWE)
References
- https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0Patch
- https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38Patch
- https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625aPatch
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3wExploitVendor Advisory
- https://github.com/argoproj/argo-cd/commit/46c0c0b64deaab1ece70cb701030b76668ad0Patch
- https://github.com/argoproj/argo-cd/commit/540e3a57b90eb3655db54793332fac86bcc38Patch
- https://github.com/argoproj/argo-cd/commit/d881ee78949e23160a0b280bb159e4d3d625aPatch
- https://github.com/argoproj/argo-cd/security/advisories/GHSA-jmvp-698c-4x3wExploitVendor Advisory
FAQ
What is CVE-2024-40634?
CVE-2024-40634 is a vulnerability with a CVSS score of 7.5 (HIGH). Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. This report details a security vulnerability in Argo CD, where an unauthenticated attacker can send a specially crafted large ...
How severe is CVE-2024-40634?
CVE-2024-40634 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-40634?
Check the references section above for vendor advisories and patch information. Affected products include: Argoproj Argo Cd.